In 2020, researchers demonstrated new techniques for poisoning DNS resolver caches. The first takes advantage of DNS forwarders with reduced integrity checks. The researchers found that eight home routers and two types of DNS forwarders, dnsmasq and MS DNS, have limited features and don’t have proper response verification checks when receiving answers from an upstream resolver.
The attacker within the LAN predicts an IP ID and sends a spoofed second packet as if the DNS response had been separated. This spoofed response contains a DNS record meant to poison the forwarder, but the attacker won’t need to guess UDP source ports or DNS transaction IDs because the second packet in the response doesn’t have UDP or DNS headers. The target forwarding system’s networking stack will temporarily cache the IP packet waiting for its match.
Then the attacker within a LAN sends a query which will ultimately end up at their own controlled (malicious) authoritative server which returns back results with a long CNAME record chain which
causes the oversized result to be fragmented into separate packets.
When it gets sent to the forwarder, its IP stack will reassemble the valid first packet with the correct source port and DNS ID with the spoofed second packet because the IP IDs match.
Due to a weakness in the forwarder, a different name can be cached and shared to other clients on the LAN.
The second attack, called the Side-channel Attacked DNS (or SAD), relies on an ICMP flaw with Global Rate Limits and is not limited to forwarders. Available ports are figured out by blasting spoofed UDP packets with ICMP replies indicating which ports are not open. Then the
cache poisoning attack can narrow down its range of open source ports to target into its attempts.
In addition, the attacker floods the authoritative nameserver with queries to limit its packet response rate so the attacker can have more opportunities to provide its own spoofed responses first to the target resolver. The researchers were able to have 100% success rate with around 3 minutes to 15 minutes to succeed in cache poisoning and they reported the flaw was shown to be on 34% of open resolvers.
Recently, other researchers also found three software mistakes in dnsmasq where it had reduced port ranges and improper DNS name response matching which could lead to easier DNS cache poisoning attacks. The researchers stated that combining these issues could result in cache poisoning accomplished in less than a minute.
They also identified additional bugs in dnsmasq where attackers could crash dnsmasq resulting in denial of service and could override memory causing unexpected behaviors and potential remote take over. Over 30 different devices use dnsmasq, such as Internet of things, firewalls etc. These series of recent dnsmasq vulnerabilities are known as DNSpooq.
For cache poisoning attacks, DNSSEC may be used to prove when data is spoofed, but note that DNSSEC validation is not forced and requires the target domain to be setup with it. Also forwarders using EDNS can be used to define the packet sizes accepted to limit DNS packet fragmentation. DNS cookies or 0x20 DNS encoding may also help provide further workarounds. dnsmasq has recent updates to solve some of their crash or other compromise bugs.
The SAD attack can be limited by disabling outgoing ICMP responses.
References
- www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq_Technical-Whitepaper.pdf
- www.usenix.org/conference/usenixsecurity20/presentation/zheng
- dl.acm.org/doi/10.1145/3372297.3417280
- www.jsof-tech.com/disclosures/dnspooq/
- www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq_Technical-Whitepaper.pdf
- Malwarebytes
- Tenable
- ESet