WSEC DNS: Protecting Recursive DNS Resolvers From Poisoning Attacks

Recently, a new attack for poisoning the cache of Recursive DNS (RDNS) resolvers was discovered and revealed to the public. In response, major DNS vendors released a patch to their software. However, the released patch does not completely protect DNS servers from cache poisoning attacks in a number of practical scenarios. DNSSEC seems to offer a definitive solution to the vulnerabilities of the DNS protocol, but unfortunately DNSSEC has not yet been widely deployed. In this paper, the authors propose Wild-card SECure DNS (WSEC DNS), a novel solution to DNS cache poisoning attacks. WSEC DNS relies on existing properties of the DNS protocol and is based on wild-card domain names.