網域名稱系統負責將網域名稱轉換成網路位址,在現今的網路中大部分電腦的聯繫都需要透過網域名稱系統。而快取毒害攻擊會將伺服器快取之紀錄竄改,使對應到的網域名稱連接到攻擊者所架設之網站。在沒有使用密碼學的情況下,目前的研究大部份都只能於提高攻擊者的攻擊難度而無法完全預防。部份的研究中透過同時查詢多解析器來選出足以信任的網路位址集合,但是這類型的研究無法像一般提高複雜度的研究般的算出安全強度。在這篇論文中我們提出了一個針對多解析器的網域名稱伺服器快取毒害攻擊的機率模型,並且考慮到了攻擊者的能力。此外我們利用了我們的機率模型來改進以及增強基於多解析器之研究的安全性。
Domain name system (DNS) is one of the core services on the Internet. For DNS, the most famous attack is DNS cache poisoning attack. Via cache poisoning, records in DNS cache could be tampered by an adversary. If a client query the compromised DNS server, he would connect to a malicious host located with an incorrect IP address. To prevent DNS cache poisoning, various approaches have been proposed to enhance DNS security. Without using cryptographic techniques, they can only raise the entropy rather than preventing from DNS cache poisoning. Several works raise the strength of security by querying multiple resolvers; returned results are used to verify the credibility of the IP addresses they connect with. However, the security is still not easy to evaluate as similar as conventional cryptographic approaches, e.g., DNSSEC. In this thesis, we propose a probabilistic model to evaluate the successful probability of cache poisoning under reasonable setting, e.g., ability of adversary or multiple resolvers architecture. Based on analyzed results we utilize our model to improve and promote the security of the approaches based on multiple resolvers.