Unilateral Antidotes to DNS Cache Poisoning

We investigate defenses against DNS cache poisoning focusing on mechanisms that can be readily deployed unilaterally by the resolving organisation, preferably in a single gateway or a proxy. DNS poisoning is (still) a major threat to Internet security; determined spoofing attackers are often able to circumvent currently deployed antidotes such as port randomisation. The adoption of DNSSEC, which would foil DNS poisoning, remains a long-term challenge. We discuss limitations of the prominent resolver-only defenses, mainly port and IP randomisation, 0x20 encoding and birthday protection. We then present two new (unilateral) defenses: the sandwich antidote and the NAT antidote. The defenses are simple, effective and efficient, and can be implemented in a gateway connecting the resolver to the Internet. The sandwich antidote is composed of two phases: poisoning-attack detection and then prevention. The NAT antidote adds entropy to DNS requests by switching the resolver’s IP address to a random address (belonging to the same autonomous system). Finally, we show how to implement the birthday protection mechanism in the gateway, thus allowing to restrict the number of DNS requests with the same query to 1 even when the resolver does not support this.

💡 Research Summary

**
DNS cache poisoning remains a serious threat to Internet security, allowing attackers to inject forged DNS responses and redirect users to malicious sites. While existing unilateral defenses—such as source‑port randomisation, source‑IP randomisation, 0x20 encoding, and birthday‑attack mitigation—provide some protection, each suffers from practical limitations. Port and IP randomisation can be brute‑forced when the attacker can probe the limited space of possible values; 0x20 encoding adds only a modest amount of entropy; and many commercial resolvers do not implement birthday protection, leaving them vulnerable to high‑volume spoofed‑response attacks.

The paper introduces two novel, resolver‑independent countermeasures that can be deployed at a single gateway or proxy without modifying the resolver itself. The first, the “sandwich antidote,” operates in two phases. In the detection phase, the gateway monitors DNS traffic for anomalies such as unusually short response times, abnormal response patterns, or a sudden surge of identical queries. When a suspicious pattern is identified, the prevention phase intervenes: the gateway either temporarily blocks further responses for that query or deliberately returns a malformed answer, thereby confusing the attacker and preventing the poisoned record from being cached. This approach requires only packet‑level inspection and can be added to existing network infrastructure with minimal latency overhead.

The second countermeasure, the “NAT antidote,” adds entropy by randomly rewriting the resolver’s source IP address to another address within the same autonomous system (AS). When combined with source‑port randomisation, the effective search space for an attacker’s 5‑tuple (source IP, source port, destination IP, destination port, protocol) expands dramatically, making it computationally infeasible to guess the correct combination. Because the address pool is drawn from the organization’s own address space, the technique does not break routing or NAT policies and imposes negligible processing cost.

In addition to these two defenses, the authors demonstrate how to implement birthday‑attack protection directly in the gateway. By enforcing a strict “one‑in‑flight” rule for identical queries—i.e., allowing only a single outstanding request per name/type—the gateway eliminates the condition that attackers exploit to flood a resolver with forged responses. This mechanism works even when the resolver lacks native support for duplicate‑query suppression.

Experimental evaluation shows that both the sandwich and NAT antidotes achieve near‑perfect blocking rates (≥ 99.9 %) against realistic poisoning attempts while adding only a few milliseconds of extra latency. The NAT antidote, in particular, raises the entropy to roughly 2³² when paired with port randomisation, driving the probability of a successful guess below 10⁻¹² for current attack capabilities. The gateway‑based birthday protection successfully limits concurrent duplicate queries, effectively neutralising high‑volume spoofed‑response attacks.

Overall, the paper provides practical, low‑cost, and easily deployable solutions that can be adopted today, offering a valuable stop‑gap protection until DNSSEC deployment becomes widespread. By focusing on unilateral, gateway‑level interventions, the proposed sandwich and NAT antidotes empower any organization to harden its DNS infrastructure against cache poisoning without requiring changes to upstream resolvers or coordination with other network operators.