Mechanism of Delegation Injection

Mimic experiment of poisoning to ac.jp
with bind-9.9.5

Tsunehiko Suzuki/Chukyo University/2014

Making Query for www.example.ac.jp

#dig www.example.ac.jp                       

;; QUESTION SECTION:
				;www.example.ac.jp.	IN	A

;; ANSWER SECTION:
				www.example.ac.jp.	600	IN	A	172.16.1.1

;; AUTHORITY SECTION:
				example.ac.jp.		600	IN	NS	ns.example.ac.jp.

;; ADDITIONAL SECTION:
				ns.example.ac.jp.	1800	IN	A	172.16.1.1

Cache Dump

$DATE 20140418053317
; authanswer
.                       3595    IN NS   a.root-servers.net.
; glue
jp.                     3595    NS      a.dns.jp.
; authauthority
example.ac.jp.          596     NS      ns.example.ac.jp.
; glue
ns.example.ac.jp.       1796    A       172.16.1.1
; authanswer
www.example.ac.jp.      596     A       172.16.1.1
; glue
a.dns.jp.               3595    A       172.16.17.1
; glue
                        3595    AAAA    ::1
; additional
a.root-servers.net.     3595    A       192.168.255.1

Mimic Poisonous Response

Adding a following mimic poisonous data in JP zone
($random.ac.jp, in case of real Kaminsky style attack)

ac.jp.	1800	IN	NS	ns.poison.nom.

Making query for poison.ac.jp

# dig poison.ac.jp

;; QUESTION SECTION:
				;poison.ac.jp.	IN	A

;; ANSWER SECTION:
				poison.ac.jp.	86400	IN	A	172.16.17.2

;; AUTHORITY SECTION:
				ac.jp.		1800	IN	NS	ns.poison.nom.

;; ADDITIONAL SECTION:
				ns.poison.nom.	86400	IN	A	172.16.17.2

Cache server caches poisonous data 'ac.jp IN ns.poison.nom' from the mimic fake JP, and gets poisonous NS (rank of AuthAuthority) from evil ns.poison.nom.

Success of Delegation Injection

cache dump 
$DATE 20140418053350
; authanswer
.                       3562    IN NS   a.root-servers.net.
; glue
jp.                     3562    NS      a.dns.jp.
; authauthority
ac.jp.                  1794    NS      ns.poison.nom.
; authauthority
example.ac.jp.          563     NS      ns.example.ac.jp.
; glue
ns.example.ac.jp.       1763    A       172.16.1.1
; authanswer
www.example.ac.jp.      563     A       172.16.1.1
; authanswer
poison.ac.jp.           86394   A       172.16.17.2
; glue
a.dns.jp.               3562    A       172.16.17.1
; glue
                        3562    AAAA    ::1
; additional
a.root-servers.net.     3562    A       192.168.255.1
; authauthority
nom.                    594     NS      a.nom.
; additional
a.nom.                  594     A       192.168.255.1
; answer
ns.poison.nom.          594     \-AAAA  ;-$NXRRSET
; nom. SOA a.nom. rootadmin.e-ontap.com. 2012071601 1800 900 604800 600
; authanswer
                        86394   A       172.16.17.2
;

Success of the poisoning for the target record by a query after cache expiration

# dig www.example.ac.jp

;; QUESTION SECTION:
		;www.example.ac.jp.	IN	A

;; ANSWER SECTION:
		www.example.ac.jp.	86400	IN	A	172.16.17.2 ...(poison)

;; AUTHORITY SECTION:
		ac.jp.			1146	IN	NS	ns.poison.nom.

;; ADDITIONAL SECTION:
		ns.poison.nom.		85747	IN	A	172.16.17.2
end