Existing mechanisms in the domain name system (DNS) can not verify the information sources of DNS requests and responses, which means an attacker can forge data to trick the DNS. To address the problem, this study analyzes this DNS hidden danger to develop a security component called "transparent proxy" which verifies and filters DNS requests and responses and can be easily deployed on the existing DNS without modification of the DNS itself. The proxy has two operating modes, a selective re-query mode and a security label query mode. This system dynamically switches between these two modes according to the security requirements and current risk level. Simulations show that the proxy dramatically reduces the success probability of attacks on the DNS, improves system security and has acceptable impact on the mean query time and network throughput.

• 出版日期2011
• 单位中国科学院大学