中文摘要：

域名系统安全是互联网技术的热点之一。近一段时期,由DNS缓存中毒引起的安全案例时有发生,严重影响了互联网的安全性和可靠性。深入分析了缓存中毒的实现机理,提出了一套面向局域网的DNS报文合法性校验方案。新方案中所设计的逆向校验算法,在不必修改DNS协议的前提下,增强了对DNS报文合法性的鉴别能力,改变了底层局域网络只能依靠上层服务器可靠性来预防缓存中毒攻击的被动局面。

英文摘要：

DNS security is one of the hot issues on the Internet. In recent years, security cases caused by DNS cache poisoning turn up frequently, thus bringing much affection to the stability and reliability of the Internet. In this article, the principle of DNS cache poisoning is analyzed in depth, and a LAN-oriented solution for checking DNS packet validity is proposed. The reverse-direction checking algorithm in the new solution could, without any modification of DNS protocols, work even better in checking the validity of DNS packet. This changes the passive situation that LAN depends mainly on the reliability of higher-layer servers for preventing DNS cache poisoning.