DNS implementers face numerous choices in architecting DNS resolvers, each with profound implications for security. Absent the use of DNSSEC, there are numerous interim tech- niques to improve DNS forgery resistance. We explore how different resolver architectures can affect the risk of DNS poi- soning.

The contributions of this work include: (A) We create a comprehensive, accurate model of DNS poisoning. We show how this model is more sensitive than other previous ex- planations of DNS poisoning. (B) We further catalog the major architectural choices DNS implementers can make in query management. We note real-world instances where these choices have weakened the security of resolvers, and mea- sure the impact on security using our model. Our study re- vealed numerous, previously unknown vulnerabilities in com- mon DNS servers.