Abstract—Several attacks on DNS inject forged DNS replies without suppressing the legitimate replies. Current implementations of DNS resolvers are vulnerable to accepting the injected replies if the attacker’s reply arrives before the legitimate one. In the case of regular DNS, this behavior allows an attacker to corrupt a victim’s interpretation of a name; for DNSSECprotected names, it enables denial-of-service. We argue that the resolver should wait after receiving an initial reply for a “Hold-On ” period to allow a subsequent legitimate reply to also arrive. We evaluate the feasibility of such an approach and discuss our implementation of a prototype stub resolver/forwarder that validates DNS replies using Hold-On. By validating the IP TTL and the timing of the replies, we show that the resolver can identify DNS packets injected by a nationstate censorship system, and that it functions without perceptible performance decrease for undisrupted lookups. I
To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.