Solving the DNS Cache Poisoning Problem Without Changing the Protocol

In this paper we propose a solution to the DNS cache poisoning problem, which we called WSEC DNS (Wildcard Secure DNS). Our solution leverages existing properties of the DNS protocol and does not require any changes neither to the DNS protocol itself nor to the DNS resolution software run by nameservers. We propose to take advantage of the definition of wildcards given in RFC 1034 and RFC 4592, and of TXT resource records in order to increase the entropy of DNS queries to the point that cache poisoning attacks become infeasible. An important advantage of our approach is that DNS operators are not obligated to implement our solution, because WSEC DNS guarantees complete backword compatibility with current nameservers’ configurations. Nonetheless, recursive DNS servers that intend to take advantage of the benefits of WSEC DNS need to implement some new functionalities. On the other hand, collaborating DNS operators who want to protect their domain names against possible cache poisoning must be willing to make simple configuration changes to their Start of Authority (SOA) nameservers (i.e., edit their zone-files), according to the recommendations reported in this paper.