‘We removed the code from GitHub to protect those vulnerable servers and give them time to fix the vulnerability’
Twelve years after DNS server cache poisoning was discovered and mostly fixed, security researchers at the University of California, Riverside, and Tsinghua University in Beijing have shown that many DNS resolvers can still be poisoned.
The new technique, codenamed ‘SAD DNS’ (‘Side-channel AttackeD DNS’) and presented at the ACM Conference on Computer and Communications Security earlier this month, uses side-channels to overcome common defenses that have worked against classic DNS cache poisoning attacks.
What is DNS cache poisoning?
In DNS cache poisoning, an attacker intercepts the query of a DNS resolver or forwarder and injects a malicious IP address for a target domain in the resolver’s cache. Users who subsequently query the DNS resolver for the tainted domain are redirected to the attacker’s server.
In 2008, when it was first discovered, DNS cache poisoning was possible because the DNS requests between resolvers and upstream servers were done on a fixed port and used a 16-bit transaction ID. This made it easy for attackers to initiate the query and brute-force the response on all possible channels.
However, upgrading transaction IDs to 32 bits and randomizing the ports made it virtually impossible to brute-force DNS cache poisoning.
DNS side-channel attacks
SAD DNS uses the internet control message protocol (ICMP) as a side-channel to target DNS resolvers and forwarders.
ICMP is not directly involved in DNS resolution, but the researchers were able to use ICMP error messages to figure out which ports are occupied and derandomize the port used for DNS resolution.
The flaw affects all major operating systems, including Linux, Windows, macOS, and FreeBSD.
SAD DNS works on local resolvers such as routers in universities, airports, and shopping centres. But the researchers also found that public resolvers such as Cloudflare’s 126.96.36.199 and Google’s 188.8.131.52 were vulnerable to the attack.
“From our measurement, we find over 34% of the open resolver population on the internet are vulnerable (and in particular 85% of the popular DNS services including Google’s 184.108.40.206),” the researchers wrote, adding that they were able to validate the proposed attack with positive results against a variety of server configurations and network conditions.
Source code pulled
Keyu Man, the lead author of the paper, told The Daily Swig: “This attack will make the infrastructure of the internet vulnerable again, since every application would use DNS to get IP addresses.
“Adding and enforcing security features on old protocols is still a task that cannot be ignored [on] the internet today.”
The impact of their findings was so severe that the researchers had to pull the code for SAD DNS shortly after publishing it.
“We removed the code from GitHub to protect those vulnerable servers and give them time to fix the vulnerability. We will put the code on GitHub when we feel it’s ok to do so,” Man said.
In a blog post that discusses SAD DNS, Nick Sullivan, head of research at Cloudflare, wrote: “We’ve implemented an additional mitigation to 220.127.116.11 to prevent message ID guessing – if the resolver detects an ID enumeration attempt, it will stop accepting any more guesses and switches over to TCP.
“This reduces the number of attempts for the attacker even if it guesses the IP address and port correctly, similarly to how the number of password login attempts is limited.”