| Domain name system is a core part of Internet. It provides the service of mapping domain names to IPs so as to make the internet experience more convenient. Whereas security problem was not fully considered when the protocol was designed, DNS has become a significant part of Internet security issues during the past decade, and is much vulnerable to hackers under cache poisoning attack. Considering the significance of DNS for Internet and the seriousness of safety situation, it is meaningful for us to research and find new solutions to DNS cache poisoning attack.The paper firstly reviews foundational knowledge about DNS, represents the process of normal recursive resolution, the process of cache poisoning and the process of kaminsky attack. Then it represents how to defend the attack with current solutions and DNSSEC which is a good solution but not widely-supported. The paper proposes two methods, one is to make resolutions twice to confim the authenticity of the response, and the other is to restrict the number of responses matching to reduce the fake matching probability, and we make comparations within the three situations, that is, the normal one without defence system, the one with twice resolutions and the one with restricted response matching count. We choze the latter to realize for it takes a balanced position between performance and cost. At last we did experiments to validate the defense system.The achievement of the paper is to propose the idea of early warning the possibility of cache poisioning and two new defense solutions, and realize the defense system with one of the solutions, and at last validate the effectivity of the system. |
PDF Full Text Request