Researchers have discovered an effective way to compromise top-level domains.
A team of researchers from the University of California, Irvine and Tsinghua University has developed a powerful new cache poisoning attack called "MaginotDNS" that targets conditional DNS (CDNS) resolvers and can compromise entire TLD top-level domains.
The attack was made possible by inconsistencies in the implementation of security checks in various DNS software and server modes, which leaves about a third of all CDNS servers vulnerable.
The researchers presented their work at the recent Black Hat 2023 conference, saying that the identified problems have already been fixed at the software level.
DNS (Domain Name System) is a hierarchical and distributed naming system for Internet resources and networks that helps convert human-readable domain names into numeric IP addresses to establish a network connection.
DNS resolvers (DNS resolvers) use UDP, TCP, and DNSSEC to make queries and receive responses. Resolvers can be iterative and recursive, involving multiple exchange steps with root servers, TLD servers, authoritative servers.
The concept of DNS cache poisoning is to inject fake responses into the resolver's cache, causing the server to direct users entering a legitimate domain to the wrong IP addresses, leading them to malicious websites without their knowledge.
CDNS resolvers support both recursive and redirect mode used by ISPs and corporate networks to reduce costs and improve access control. And it is the redirect mode that is most vulnerable.
Researchers have identified benchmarking inconsistencies in known DNS software, including BIND9 ( CVE-2021-25220 ), Knot Resolver ( CVE-2022-32983 ), Microsoft DNS, and Technitium ( CVE-2021-43105 ).
In some cases, experts have noted such configurations in which all records are treated as if they were in the root domain, which is a very vulnerable configuration.
The examples presented by the researchers during the BlackHat presentation include both on-path/inline and out-of-path (Out-path/Out-of-path) attacks. The latter are more complex, but also much more valuable to attackers.
For these attacks, hackers need to predict the source port and transaction ID used by the target's recursive DNS servers when making a request, and then use a malicious DNS server to send fake responses with the correct parameters.
Source port inference and transaction ID guessing can be done with brute force or with SADDNS.
The researchers scanned the Internet and found 1,200,000 DNS resolvers, of which 154,955 are CDNS servers. Then, using programmatic identification of vulnerable versions, they found 54,949 vulnerable CDNS servers, all of which are susceptible to in-path attacks and 88.3% are susceptible to out-of-path attacks.
The vulnerability identified by the researchers poses a serious threat to the stable functioning of the Internet for several reasons:
All affected software vendors have confirmed the vulnerability and have fixed it. And Microsoft even gave an award to the researchers for their report.
However, for the issues to be fully resolved, CDNS administrators must apply fixes and follow the configuration recommendations provided by the vendors.
A team of researchers from the University of California, Irvine and Tsinghua University has developed a powerful new cache poisoning attack called "MaginotDNS" that targets conditional DNS (CDNS) resolvers and can compromise entire TLD top-level domains.
The attack was made possible by inconsistencies in the implementation of security checks in various DNS software and server modes, which leaves about a third of all CDNS servers vulnerable.
The researchers presented their work at the recent Black Hat 2023 conference, saying that the identified problems have already been fixed at the software level.
DNS (Domain Name System) is a hierarchical and distributed naming system for Internet resources and networks that helps convert human-readable domain names into numeric IP addresses to establish a network connection.
DNS resolvers (DNS resolvers) use UDP, TCP, and DNSSEC to make queries and receive responses. Resolvers can be iterative and recursive, involving multiple exchange steps with root servers, TLD servers, authoritative servers.
The concept of DNS cache poisoning is to inject fake responses into the resolver's cache, causing the server to direct users entering a legitimate domain to the wrong IP addresses, leading them to malicious websites without their knowledge.
CDNS resolvers support both recursive and redirect mode used by ISPs and corporate networks to reduce costs and improve access control. And it is the redirect mode that is most vulnerable.
Researchers have identified benchmarking inconsistencies in known DNS software, including BIND9 ( CVE-2021-25220 ), Knot Resolver ( CVE-2022-32983 ), Microsoft DNS, and Technitium ( CVE-2021-43105 ).
In some cases, experts have noted such configurations in which all records are treated as if they were in the root domain, which is a very vulnerable configuration.
The examples presented by the researchers during the BlackHat presentation include both on-path/inline and out-of-path (Out-path/Out-of-path) attacks. The latter are more complex, but also much more valuable to attackers.
For these attacks, hackers need to predict the source port and transaction ID used by the target's recursive DNS servers when making a request, and then use a malicious DNS server to send fake responses with the correct parameters.
Source port inference and transaction ID guessing can be done with brute force or with SADDNS.
The researchers scanned the Internet and found 1,200,000 DNS resolvers, of which 154,955 are CDNS servers. Then, using programmatic identification of vulnerable versions, they found 54,949 vulnerable CDNS servers, all of which are susceptible to in-path attacks and 88.3% are susceptible to out-of-path attacks.
The vulnerability identified by the researchers poses a serious threat to the stable functioning of the Internet for several reasons:
- First, it affects a critical infrastructure - the DNS domain name system, which plays a key role in the operation of the entire global network. Its failure or compromise can lead to large-scale interruptions in the functioning of the Internet.
- Secondly, the scale of vulnerable servers is very large - we are talking about hundreds of thousands of devices around the world. This opens up a wide range of attack opportunities for hackers.
- Thirdly, the attack mechanism itself is quite sophisticated and allows you to bypass many existing protection measures, leaving DNS servers virtually defenseless.
All affected software vendors have confirmed the vulnerability and have fixed it. And Microsoft even gave an award to the researchers for their report.
However, for the issues to be fully resolved, CDNS administrators must apply fixes and follow the configuration recommendations provided by the vendors.