CircleID

Over the last couple of weeks I have spent some time working on a project to develop a DNS cache for Windows that is intended to be reasonably secure against spoof attacks, in particular in situations where NAT firewalls may prevent port randomization.

The program is evolving, but currently uses a couple of ideas to attempt to defeat spoof attacks.

(1) The program doesn't blindly accept the first response it receives to a DNS query. Instead it waits to see if another response arrives, with the length of the wait being determined by comparing the cache with the contents of the first response.

(2) Each cache entry has a "Confidence" value, which is intended to be a rough indication of whether the entry can be trusted. New entries in the cache typically require an extra DNS request, to obtain a suitable confidence level, however for typical ongoing refresh operations (due to expired TTL ), no extra work is required. I suspect that such refresh operations probably account for a substantial proportion of all DNS requests, so the extra traffic generated by this technique may in fact be relatively small.

The source code is intended to be entirely un-encumbered, that is free in all respects.

I would welcome any suggestions or comments on the aims of the project, the source code, the functionality of the program or other ideas.

The website for the project is located here.

Thanks in advance for your feedback.

By George Barwood

Related topics: DNS, Security