Opened Pandora's box of Cache Poisoning -1-
Tsunehiko Suzuki 2014.04.15 (concept by Toshinori Maeno 2014.02)
In 2008, Mr. Dan Kaminsky disclosed the poisoning method which could evade the protection by TTL.
But, T.Suzuki found the mistake in his explanation in 2011. Spoofed additional section could not be valid as poison.
Bernhard Müller released the paper titled "IMPROVED DNS SPOOFING USING NODE RE-DELEGATION" in Jul. 2008.
He discibed the method "node re-delegation".
By "node re-delegation", spoofed responses could succeed as poison to divert the node to spoofed zone within few minutes.
- Sooel Son and Vitaly Shmatikov
In 2010, detailed description in The Hitchhiker's Guide to DNS Cache Poisoning showed the condition how to inject poison successfully.
Amir Herzberg and Haya Shulman released the paper "Fragmentation Considered Poisonous" in March 2013.
They disclosed the method by which the second fragment in fragmented packets can act as poison. Although insufficient inspection on the fragment may allow the injection, they did not explain what types of spoofed response can work as valid poison.
Our discovery: Several serious vulnerable targets by the Delegation Injection attack (Extension of Müller's method)
We (Maeno and Suzuki) found several risky zones with poisonous DNS response to the cache server. This reveals DNS weakness for the cache poisoning attack.
The most serious cases (targets) are as follows:
(1) domain names without NS RRSet or no record at all, such that cache should have no relevant NS RRset in the cache, (2) domain names with NS RRSet for which cached entry is easily overwritten by the response from authoritative servers."
In the following cases, the important zones are exposed to the risks of poisoning by the re-delegation attack.
1. Poisoning to subdomains which have no DNS record (extension of the Müller's method)
The attacker can poison the fake NS for the domain name which has no NS RRs, and can control fake sld.tld zone.
a) sld.tld zone where "example.sld.tld" zone is delegated from tld but does not have its own zone
b) almost all FQDN (pointed out by Müller)
In many cases, such sld.tld zone does not have NS RR. The attacker can inject the spoofed NS for the domain name as poison and take control of the zone.
Even if A records in example.sld.tld zone are currently cached, the injection of spoofed sld.tld zone can overwrite them (poison becomes valid when the record is searched again).
Additional explanation: Mechanism of Delegation Injection
2. Poisoning to child zone whose authoritative server manages its parent zone ...(discovered by JPRS)
Even if child zone is delegated from its parent, the attacker can control parent zone by injecting spoofed NS of the child.
a) The cache server gets the negative response of the name in child zone for the query to the parent.
b) The cache server gets the referral informations (NS+A) to the grandchild for the query about the name in grandchild zone to the parent (not to child).
c) If the parent uses the name of the child zone for it's NS, the cache server does not need to ask the A record to the child zone. Because the parent already have gotten the A record as glue from the parent (of the parent).
3. Poisoning to a zone whose NS value points toa name in child zone
The attacker can control the parent zone by poisoning the NS name in child zone.
- SLD zone such as .gouv.fr can be poisoned.
- TLD zone such as .kr, .net can be poisoned.
- . (root) zone can be poisoned. (effective with relocation injection)
We have to reform the specifications (RFC2181 etc.), implementations, operations.
* Further more, we found one more serious problem - relocation injection -.
Countermeasures (work around)
Countermeasures on cache servers.
- access control (open resolver is dangerous)
- query source port randomization (fixed port number is dangers)
- add entropy by 0x20 method, etc.
- detection of attacks and clearing of cache
- adopt TCP, instead of using EDNS0 (for avoiding fragment attack)
Countermeasures on content (zone) server
- deploy distinct server for each zone
- prohibit nodes without NS
- rename NS
- All experiments were done on our Internet simulator. (BIND 9.9.2-P2 /Unbound 1.4.20)
- Dr. Hiroki Takakura of Nagoya University made enormous contribution to disclose this report.