Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices

In today’s DNS infrastructure, DNS forwarders are devices standing in between DNS clients and recursive resolvers. The devices often serve as ingress servers for DNS clients, and instead of resolving queries, they pass the DNS requests to other servers. Because of the advantages and several use cases, DNS forwarders are widely deployed and queried by Internet users. However, studies have shown that DNS forwarders can be more vulnerable devices in the DNS infrastructure. In this paper, we present a cache poisoning attack targeting DNS forwarders. Through this attack, attackers can inject rogue records of arbitrary victim domain names using a controlled domain, and circumvent widely-deployed cache poisoning defences. By performing tests on popular home router models and DNS software, we find several vulnerable implementations, including those of large vendors (e.g., D-Link, Linksys, dnsmasq and MS DNS). Further, through a nationwide measurement, we estimate the population of Chinese mobile clients which are using vulnerable DNS forwarders. We have been reporting the issue to the affected vendors, and so far have received positive feedback from three of them. Our work further demonstrates that DNS forwarders can be a soft spot in the DNS infrastructure, and calls for attention as well as implementation guidelines from the community.

[1]  Remco van Mook,et al.  Measures for Making DNS More Resilient against Forged Answers , 2009, RFC.

[2]  Paul Vixie,et al.  DNS and BIND Security Issues , 1995, USENIX Security Symposium.

[3]  Xu Zhang,et al.  ONIS: Inferring TCP/IP-based Trust Relationships Completely Off-Path , 2018, IEEE INFOCOM 2018 - IEEE Conference on Computer Communications.

[4]  Amir Herzberg,et al.  Security of Patched DNS , 2012, ESORICS.

[5]  Haya Shulman,et al.  Fragmentation Considered Leaking: Port Inference for DNS Poisoning , 2014, ACNS.

[6]  Stephane Bortzmeyer,et al.  DNS Privacy Considerations , 2015, RFC.

[7]  Charles Hornig A Standard for the Transmission of IP Datagrams over Ethernet Networks , 1984, RFC.

[8]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[9]  Daniel Massey,et al.  Protocol Modifications for the DNS Security Extensions RFC 4035 | NIST , 2005 .

[10]  Michael Graff,et al.  Extension Mechanisms for DNS (EDNS(0)) , 2013, Request for Comments.

[11]  Benny Pinkas,et al.  From IP ID to Device ID and KASLR Bypass (Extended Version) , 2019, USENIX Security Symposium.

[12]  Carlo Contavalli,et al.  RFC 7871 - Client Subnet in DNS Queries , 2016 .

[13]  Christoph Ludwig Schuba Addressing Weaknesses in the Domain Name System Protocol , 1993 .

[14]  Ray Bellis,et al.  DNS Proxy Implementation Guidelines , 2009, RFC.

[15]  Bruce M. Maggs,et al.  A Longitudinal, End-to-End View of the DNSSEC Ecosystem , 2017, USENIX Security Symposium.

[16]  Jeffrey Knockel,et al.  Counting Packets Sent Between Arbitrary Internet Hosts , 2014, FOCI.

[17]  Amir Herzberg,et al.  Off-Path Hacking: The Illusion of Challenge-Response Authentication , 2014, IEEE Security & Privacy.

[18]  Christian Rossow,et al.  Going Wild: Large-Scale Classification of Open DNS Resolvers , 2015, Internet Measurement Conference.

[19]  Haya Shulman,et al.  Domain Validation++ For MitM-Resilient PKI , 2018, CCS.

[20]  G. W. Stewart Dns cache poisoning-the next generation , 2003 .

[21]  Mark Allman,et al.  Assessing DNS Vulnerability to Record Injection , 2014, PAM.

[22]  Yakov Rekhter,et al.  Dynamic Updates in the Domain Name System (DNS UPDATE) , 1997, RFC.

[23]  Amir Herzberg,et al.  Fragmentation Considered Poisonous, or: One-domain-to-rule-them-all.org , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[24]  Wenke Lee,et al.  Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries , 2008, CCS.

[25]  Jedidiah R. Crandall,et al.  Detecting TCP/IP Connections via IPID Hash Collisions , 2019, Proc. Priv. Enhancing Technol..

[26]  Matt Mathis,et al.  IPv4 Reassembly Errors at High Data Rates , 2007, RFC.

[27]  Amir Herzberg,et al.  Fragmentation Considered Vulnerable , 2011, TSEC.

[28]  Amir Herzberg,et al.  Vulnerable Delegation of DNS Resolution , 2013, ESORICS.

[29]  Stephen E. Deering,et al.  Path MTU discovery , 1990, RFC.

[30]  Paul E. Hoffman,et al.  DNS Terminology , 2015, RFC.

[31]  Mark P. Andrews,et al.  Negative Caching of DNS Queries (DNS NCACHE) , 1998, RFC.

[32]  Fernando Gont Security Implications of Predictable Fragment Identification Values , 2016, RFC.

[33]  Andreas Gustafsson,et al.  Handling of Unknown DNS Resource Record (RR) Types , 2003, RFC.

[34]  Benoit Donnet,et al.  Network fingerprinting: TTL-based router signatures , 2013, Internet Measurement Conference.

[35]  Mark Allman,et al.  On measuring the client-side DNS infrastructure , 2013, Internet Measurement Conference.