Abstract by Alden Hilton
DNS Cache Protection by Network Ingress Filtering
A common best practice for DNS resolvers is to make them available only to a specific set of Internet clients. For example, Internet Service Providers (ISPs) that offer DNS resolution services generally make them available only to their customers. Similarly, corporate and government institutions that deploy DNS resolvers only allow Internet clients from within their own networks to query their DNS resolvers. The requirement to be explicitly allowed to query DNS resolvers is in place for the resolvers’ own security. In this study, we consider the alternative case, in which arbitrary third parties have access to a resolver. In particular, we consider a resolver that was thought to be restricted but is in fact accessible to arbitrary third parties. We have found that a significant number of resolvers, thought to not be open to the public, can indeed be accessed by spoofing the source address of DNS queries. We also find that many of these resolvers are not using best practices, such as source port randomization, making a cache poisoning attack trivial to execute.