一個具可靠性的查詢技術以對抗網域名稱系統快取毒害之研究

DNS cache poisoning attack has been proposed for a long time. In 2008, Kaminsky enhanced this attack to be powerful based on nonce query method. By leveraging Kaminsky's attack, large-scale phishing becomes possible even if users perceive the target domain names. Hence, DNS cache poisoning is a serious threat in the current DNS infrastructure. In this thesis, we propose a countermeasure, DepenDNS, to prevent from cache poisoning attacks. DepenDNS queries multiple resolvers concurrently to verify a trustworthy answer while users perform payment transactions, e.g., auction, banking. Without modifying any resolver or authority server, DepenDNS is conveniently deployed on client side. In the end of thesis, we conduct several experiments on DepenDNS to show its efficiency. We believe DepenDNS is a comprehensive solution against cache poisoning attacks.

關鍵字

網域名稱系統；快取毒害；網路安全

並列摘要

網域名稱系統負責網域名稱與網域位置之間的轉換，在現今的網路系統中，絕大多數的網路應用都會使用到網域名稱系統來查詢伺服器相對應的網域位置。然而網域名稱系統卻一直以來都存在著快取毒害的威脅，會造成特定的網域名稱轉換錯誤，使得使用者面臨網路釣魚的威脅。在2008年，Kaminsky發現了網域名稱系統更嚴重的漏洞，能大幅度的縮短此種攻擊所需耗費的時間，使得網域名稱系統快取毒害的威脅劇增。在這篇論文當中，我們藉由同時查詢多台的網域名稱解析器，並透過驗證機制選出一個可信任網路位置的集合，來保護使用者不會受到網域名稱系統快取毒害的威脅。此外這種方法是實作在客戶端，不用修改到任何的域名解析器以及認證伺服器。

並列關鍵字

Domain Name System ； Cache Poisoning ； Network Security

參考文獻

[1] Internet assigned numbers authority. Port number.

[2] Taiwan network information center. http://www.twnic.net.tw/, 2009.

[4] S. Ariyapperuma and C. J. Mitchell. Security vulnerabilities in DNS and DNSSEC. In ARES '07: Proceedings of the 2nd International Conference on Availability, Reliability and Security, pages 335-342, Washington, DC, USA, 2007. IEEE Computer Society.

[7] I. Bose. Phishing: the new security threat on the internet. Advances in Enterprise Information Technology Security, 2007.

[9] V. Cardellini, M. Colajanni, and P. S. Yu. Dynamic load balancing on webserver systems. Internet Computing, IEEE, 3(3):28-39, May/Jun 1999.

國際替代計量

一個具可靠性的查詢技術以對抗網域名稱系統快取毒害之研究

主題瀏覽