Abstract by Alden Hilton
DNS Cache Protection by Network Ingress Filtering
A common best practice for DNS resolvers is to make them available only to a specific set of Internet clients. If DNS resolvers were open to queries by unaffiliated parties, they would be vulnerable to activities such as cache poisoning, denial-of-service, and cache introspection. In this study, we consider this exact case, in which arbitrary third parties have access to a resolver. In particular, we consider a resolver that was thought to be restricted but is in fact accessible to arbitrary third parties. Because non-public DNS resolvers typically only allow queries from designated IP addresses, our methodology involves 1) guessing the designated IP addresses and 2) spoofing these addresses in the DNS queries issued to the resolver. Our hypothesis is that our queries will successfully reach the DNS resolver we are targeting if we spoof addresses in close proximity to the resolver itself. From this we can present evidence that the problem exists, quantify its pervasiveness, and make suggestions to guard against its exploit.