Researchers from UC Irvine and Tsinghua University have created a potent cache poisoning attack named “MaginotDNS.” This attack focuses on Conditional DNS (CDNS) resolvers and has the potential to compromise entire top-level domains (TLDs).
This attack capitalizes on security check inconsistencies in different software and server modes of DNS (recursive resolvers and forwarders), exposing vulnerabilities in approximately one-third of all CDNS servers.
The researchers presented the attack and the document earlier this week at Black Hat 2023, stating that the issues identified have now been fixed at the software level.
DNS (Domain Name System) is a hierarchical and decentralized naming system used for Internet resources and connections. It converts human-readable domain names into numerical IP addresses, enabling network connections.
The DNS resolution process utilizes UDP, TCP, and DNSSEC to carry out queries and receive responses. This process can be either iterative or recursive, involving various stages of interaction with root servers, TLD servers, authoritative servers, and caching of records along the route.
These attacks have been mitigated by adding defense mechanisms to the resolver implementation, making off-path attacks difficult.
However, the “MaginotDNS” attack can overcome these defenses by attacking the CDNS forwarding function from either the on-path or the off-path.
The researchers found that the bailiwick controls are adequately enforced in the recursive mode – however, the forwarder is vulnerable.
Because the two share the same global DNS cache, an attack on the forward mode can pave the way for the reverse mode to be breached, effectively breaking the DNS cache protection boundary.
The researchers identified irregularities in the bailiwick control of established DNS software like BIND9 (CVE-2021-25220), Knot Resolver (CVE-2022-32983), Microsoft DNS, and Technitium (CVE-2021-43105).
Furthermore, in certain instances, they observed configurations treating all registrations as if they were beneath the root domain, a notably susceptible configuration.
For these attacks, the attacker must predict the source port and transaction ID used by the target’s recursive DNS servers when making a request, and then use a malicious DNS server to send fake responses with the correct parameters.
Source port inference and estimation of transaction IDs can be achieved through brute force or by utilizing SADDNS (DNS attacked via a side-channel).
For BIND9, both parameters can be obtained after approximately 3,600 query rounds, while for Microsoft DNS, this requirement reduces to 720 rounds.
To enhance the likelihood of success, the attacker needs to manage the response time of the malevolent DNS responses, ensuring that their counterfeit response reaches the victim’s server ahead of the authentic one.
The researchers scoured the internet and found 1.200.000 DNS resolvers, of which 154.955 are CDNS servers.
Then, using software fingerprints to detect vulnerable versions, they found 54.949 vulnerable CDNS servers, all of which are vulnerable to on-path attacks and 88,3% are affected by off-path attacks.
All of the affected software vendors listed above have confirmed and fixed the flaws, and Microsoft has awarded researchers a fee for their report.