Abstract

Domain name system provides resolution services between domain names and IP addresses for internet applications and it is the backbone of the modern internet. Since the security of domain name system is critical to the internet, a large number of solutions have emerged. Unfortunately, most of these works are focused on server-side protection, but few solutions for client protection. Because the server-side solution cannot guarantee that the client uses a trusted domain name, this paper proposes a client-side protection method for domain name system cache. Our solution monitors the local cache of domain name system in real time and asynchronously verifies the authenticity of each name resolution result through a trusted third party. Experimental results show that our method can resist domain name poisoning attacks against clients. And our solution is fully compatible with the existing domain name system, and has good incremental deployment capabilities.