2012-duan-hold-on
findings extracted from this paper
-
Without DNSSEC, Hold-On can be defeated by a sophisticated censor that crafts injected packets with TTL and timing matching the expected legitimate reply, injecting just before its predicted arrival. When combined with DNSSEC, Hold-On is robust even against this attack because the censor cannot forge a valid DNSSEC signature; injection can still cause a denial-of-service by forcing a 'Bogus' result, but Hold-On prevents that by waiting for the legitimate validating reply.
-
Over 11,700,000 DNS requests across 6 days at ICSI's border network and 15,200,000 DNS transactions in a 1.5-hour trace at UC Berkeley's border, secondary differing DNS replies were essentially absent in normal traffic, yielding effectively 0 false positives. Only two benign authority servers produced anomalous dual replies at Berkeley—one for the BBC returning two addresses within the same /24, one for businessinsider.com returning a SERVFAIL—neither of which would disrupt a Hold-On resolver.
-
A prototype Hold-On DNS proxy introduced no perceptible additional latency for either cached or uncached DNS queries in live testing; query-time measurements for both sets of names overlapped entirely with baseline (Hold-On disabled) measurements. The Hold-On timer (set to 5 seconds initial, 10s second try, 15s third try) is only reached under anomalous conditions; under normal operation the resolver returns as soon as the legitimate reply validates.
-
On-path censors commonly operate on traffic mirrors rather than inline (in-path), making their systems failure-tolerant and easier to deploy. This architectural choice means on-path injectors cannot suppress the legitimate DNS reply—both the forged and authentic replies reach the resolver—creating a detectable anomaly. The same structural weakness applies to TCP RST injection and other on-path packet injection attacks.
-
In approximately 100,000 DNS queries over 9 days from within a censored network, injected packets were reliably distinguishable: legitimate IP TTLs were stable at either 44 or 42, while injected TTL values ranged across [0–255], and injected packets arrived well before legitimate replies because the injector co-resided within the same ISP while the recursive resolver was in another country. With a TTL threshold of ±1 and an RTT threshold of 0.5× expected RTT, the Hold-On prototype achieved 0% false positive rate and 0% false negative rate.