DNS spoofing, also known as DNS cache poison, means that an attacker sends plenty of fake DNS response packets to a DNS server or a host under certain conditions. The response packets are direct to legal domain names to malicious Internet Protocol (IP) addresses to spoof the receiver.
Such attacks may lead to at least the following consequences:
1. The DNS cache poison can propagate the malicious IP address in a wider scope.
2. The user is misled to a malicious website.
3. The Local Area Network (LAN) is manipulated as an attacking tool.
4. Denial of Service (DoS) attacks are launched to the DNS server.
Potential targets of the attacks are the DNS server, host, or user application such as a browser or a DNS query software, which are known as DNS clients.
Firewalls are generally used to prevent DNS spoofing. Conventional preventive measures are as follows:
(1) In a bidirectional communication environment, the firewall records the DNS request packets sent by a DNS client. After receiving a response packet, the firewall matches the DNS response packet with the records stored in the firewall. If a record is matched successfully, the firewall accepts the DNS response packet and forwards it to the DNS client; if no record is matched successfully, the firewall discards the DNS response packet to prevent receiving a fake DNS response packet sent by hackers.
(2) After receiving a DNS response packet, the firewall constructs a new DNS request packet according to the information in the response packet, and then sends the DNS request packet and records the data about the DNS request packet. After receiving the next DNS response packet, the firewall checks whether the DNS response packet matches the recorded DNS request packet. If the DNS response packet matches the recorded DNS request packet, the firewall accepts the DNS response packet and forwards it to the target DNS client; if the DNS response packet does not match the recorded DNS request packet, the firewall discards it.
In the process of researching and practicing the conventional art, the inventor of the present invention finds at least the following problems in the conventional art:
In the first preventive measure as discussed above, if many DNS request packets are received, the firewall has to store the DNS request packets, which will occupy a lot of memory resources of the firewall.
In the second preventive measure as discussed above, if many DNS response packets are received, the generated DNS request packets are enormous; the firewall has to store the data about the generated DNS request packets, which makes the system overloaded or even leads to DoS.