DNS Poisoning of Operating System Caches: Attacks and Mitigations

Fatemah Mordhi Alharbi, Yuchen Zhou, Feng Qian, Zhiyun Qian, Nael Abu Ghazaleh

Research output: Contribution to journalArticlepeer-review

Abstract

The Domain Name System (DNS) is a protocol supporting name resolution from Fully Qualified Domain Names (FQDNs) to the IP address of the machines corresponding to them. This resolution process is critical to the operation of the Internet, but is susceptible to a range of attacks. One of the most dangerous attack vectors is DNS poisoning where an attacker injects malicious entries into the DNS resolution forcing clients to be redirected from legitimate to malicious servers. Typically, poisoning attacks target a DNS resolver allowing attackers to poison a DNS entry for all machines that use the compromised resolver. However, recent defenses protect resolvers substantially limiting these attacks. In this paper, we present a new class of DNS poisoning attacks targeting the client-side DNS cache, which is used in mainstream operating systems, circumventing defenses protecting resolvers. We implemented the attack on Windows, Mac OS, and Ubuntu Linux machines. We also generalize the attack to work even when the client is behind a Network Address Translation (NAT) router. Our results show that we can reliably inject malicious DNS mappings, with on average, an order of tens of seconds. We also propose client-side mitigations and demonstrate that they can effectively mitigate the vulnerability.

Original languageEnglish (US)
JournalIEEE Transactions on Dependable and Secure Computing
DOIs
StateAccepted/In press - 2022

Bibliographical note

Publisher Copyright:
IEEE

Keywords

  • Cache Poisoning
  • Computer crime
  • DNS
  • Internet
  • Linux
  • Mac
  • Microsoft Windows
  • NAT
  • Network security
  • Operating systems
  • Protocols
  • Servers
  • Toxicology
  • Ubuntu Linux

Fingerprint

Dive into the research topics of 'DNS Poisoning of Operating System Caches: Attacks and Mitigations'. Together they form a unique fingerprint.

Cite this