DCG: A Client-side Protection Method for DNS Cache

Yan Zhao, Ning Hu⁺, Chi Zhang, and Xinda Cheng
 

Guangzhou University, Guangzhou, 510006 China

{2111906107, huning, 2111906100, 2111906003}@e.gzhu.edu.cn

Abstract

Domain name system provides resolution services between domain names and IP addresses for internet applications and it is the backbone of the modern internet. Since the security of domain name system is critical to the internet, a large number of solutions have emerged. Unfortunately, most of these works are focused on server-side protection, but few solutions for client protection. Because the server-side solution cannot guarantee that the client uses a trusted domain name, this paper proposes a client-side protection method for domain name system cache. Our solution monitors the local cache of domain name system in real time and asynchronously verifies the authenticity of each name resolution result through a trusted third party. Experimental results show that our method can resist domain name poisoning attacks against clients. And our solution is fully compatible with the existing domain name system, and has good incremental deployment capabilities.

Keywords: DNS Security, DNS spoofing, Cache Verification

+: Corresponding author: Ning Hu
Cyberspace Institute of Advanced Technology, Guangzhou University, 230 Wai Huan Xi Road, Guangzhou Higher Education Mega Center, Guangzhou, 510006, China, email: huning@e.gzhu.edu.cn.

Journal of Internet Services and Information Security (JISIS), 10(2): 109-127, May 2020

DOI: 10.22667/JISIS.2020.05.31.109 [pdf]