A wrinkle in time: a case study in DNS poisoning

Harel Berger, Amit Z. Dvir, Moti Geva

Research output: Contribution to journalArticlepeer-review

8 Scopus citations


The domain name system (DNS) provides a translation between readable domain names and IP addresses. The DNS is a key infrastructure component of the Internet and a prime target for a variety of attacks. One of the most significant threats to DNS’ well-being is a DNS poisoning attack in which the DNS responses are maliciously replaced, or poisoned, by an attacker. To identify this kind of attack, we start by an analysis of different kinds of response times. We present an analysis of typical and atypical response times, while differentiating between the different levels of DNS servers’ response times, from root servers down to internal caching servers. We successfully identify empirical DNS poisoning attacks based on a novel method for DNS response timing analysis. We then present a system we developed to validate our technique that does not require any changes to the DNS protocol or any existing network equipment. Our validation system tested data from different architectures including LAN and cloud environments and real data from an internet service provider. Our method and system differ from most other DNS poisoning detection methods and achieved high detection rates exceeding 98%. These findings suggest that when used in conjunction with other methods, they can considerably enhance the accuracy of these methods.

Original languageEnglish
Pages (from-to)313-329
Number of pages17
JournalInternational Journal of Information Security
Issue number3
StatePublished - Jun 2021


  • DNS
  • DNS security
  • Network protocols
  • Network security


Dive into the research topics of 'A wrinkle in time: a case study in DNS poisoning'. Together they form a unique fingerprint.

Cite this