Due to the slow adoption of DNSSEC, the defense against Kaminsky-style DNS cache poisoning still mainly relies on conventional challenge-response mechanisms which have security vulnerabilities. Existing industry and academic research on DNS cache poisoning focuses on preventing cache injection, while systematic study on the entire poisoning process including the domain hijacking phase remains scarce. From an attacker’s perspective, we provide a complete tri-state poisoning model, based on which we further mathematically model the latent state (i.e., hijacking phase) and quantitatively analyze the influence of different factors on the hijacking effect. The simulation and experiment results are consistent with the mathematical model in different scenarios, justifying the effectiveness of the model and the significance of the domain hijacking phase. Finally, countermeasures and suggestions are proposed to strengthen the defense against Kaminsky-style cache poisoning by reducing the success rate of domain hijacking.

由于 DNSSEC 的采用缓慢，针对 Kaminsky 式 DNS 缓存中毒的防御仍然主要依赖于具有安全漏洞的传统挑战响应机制。现有的关于DNS缓存中毒的行业和学术研究主要集中在防止缓存注入，而对包括域劫持阶段在内的整个中毒过程的系统研究仍然很少。从攻击者的角度，我们提供了一个完整的三态中毒模型，在此基础上我们进一步对潜在状态（即劫持阶段）进行数学建模，并定量分析不同因素对劫持效果的影响。仿真和实验结果在不同场景下与数学模型一致，证明了模型的有效性和域劫持阶段的意义。