Pollution Resilience for DNS Resolvers

The DNS is a cornerstone of the Internet. Unfortunately, no matter how securely an organization provisions and guards its own DNS infrastructure, it is at the mercy of others´ provisioning when it comes to resolutions its resolvers perform on behalf of its clients - even one compromised DNS server in the Internet can mislead an organization´s clients to fake look-alike phishing Web sites or malware-serving sites, among other things. In this paper, we propose a self-defense mechanism where the DNS resolvers collect a small amount of additional information for the DNS responses they receive and maintain a history of previous responses to guard their clients against misleading information from compromised DNS servers in the Internet. Any organization can choose to enhance its resolvers with our mechanism unilaterally, unlike DNSSEC, which can ensure correctness of information only if the remote DNS server deploys it.