To address the insufficient defense against DNS cache poisoning attacks—particularly statistical and fragmented attacks since 2002—this paper proposes POPs, a lightweight, IPS-integrated protection system. POPs introduces a novel “detection–mitigation” co-design architecture: a semantics-aware, three-rule DNS protocol detector achieves high-precision attack identification; mitigation is triggered solely by the TC (Truncation) flag, enabling zero-false-positive and zero-false-negative operation. POPs is the first lightweight solution capable of defending against both historical and emerging DNS fragmentation-based poisoning attacks. Evaluation shows POPs achieves a 99.9924% defense rate against known attacks, detects threats 2–5× faster than Suricata or Snort, and incurs only 5%–10% of their resource overhead. Moreover, POPs successfully identifies fragmented attacks missed by both Suricata and Snort.

We present a novel yet simple and comprehensive DNS cache POisoning Prevention System (POPS), designed to integrate as a module in Intrusion Prevention Systems (IPS). POPS addresses statistical DNS poisoning attacks, including those documented from 2002 to the present, and offers robust protection against similar future threats. It consists of two main components: a detection module that employs three simple rules, and a mitigation module that leverages the TC flag in the DNS header to enhance security. Once activated, the mitigation module has zero false positives or negatives, correcting any such errors on the side of the detection module. We first analyze POPS against historical DNS services and attacks, showing that it would have mitigated all network-based statistical poisoning attacks, yielding a success rate of only 0.0076% for the adversary. We then simulate POPS on traffic benchmarks (PCAPs) incorporating current potential network-based statistical poisoning attacks, and benign PCAPs; the simulated attacks still succeed with a probability of 0.0076%. This occurs because five malicious packets go through before POPS detects the attack and activates the mitigation module. In addition, POPS completes its task using only 20%-50% of the time required by other tools (e.g., Suricata or Snort), and after examining just 5%-10% as many packets. Furthermore, it successfully identifies DNS cache poisoning attacks-such as fragmentation attacks-that both Suricata and Snort fail to detect, underscoring its superiority in providing comprehensive DNS protection.