Brace for DNS Spoofing: Cache Poisoning Flaws DiscoveredFixes Arriving to Safeguard DNS Against Newly Found 'SAD DNS' Side-Channel Attack
The internet relies on the domain name system to translate human-readable domain names into computer-readable IP addresses. Unfortunately, many modern DNS services are vulnerable to a spoofing attack that "allows an attacker to redirect any traffic - originally destined to a specific domain - to his own server and then become a man-in-the-middle attacker, allowing eavesdropping and tampering of the communication," researchers say.
A group of researchers from the University of California at Riverside and Tsinghua University in Beijing have identified a new type of DNS cache poisoning attack called SAD DNS - for "Side-channel AttackeD DNS." The flaw exists due to rate-limiting controls in the Internet Control Message Protocol - an error-reporting protocol that network devices, including routers, use to send error messages to source IP addresses that have introduced an exploitable side channel.
The vulnerability has been designated CVE-2020-25705 by Mitre, which notes that Linux kernel versions prior to 5.10 "may be vulnerable to this issue."
The researchers say SAD DNS allows "an off-path attacker to inject a malicious DNS record into a DNS cache," as provided by BIND, Unbound, dnsmasq and others.
They presented their findings as a research paper at this month's virtual ACM Conference on Computer and Communications Security. The paper won the conference's annual Distinguished Paper Award.
'Classic DNS Cache Poisoning Attack'
"SAD DNS is a revival of the classic DNS cache poisoning attack - which no longer works since 2008 - leveraging novel network side channels that exist in all modern operating systems, including Linux, Windows, macOS and FreeBSD," the researchers say on a dedicated Sad DNS page. It includes a link to a tool users can employ to see if the DNS server they're using is vulnerable to the exploit.
"This attack is basically exploiting a Band-Aid that was applied to DNS resolvers," says Ryan Davis, CISO of DNS and internet traffic management technology firm NS1, based in New York. "That Band-Aid is using random port numbers to respond so that an attacker can't effectively guess what port the response is going to be sent on. The researchers have discovered a way to identify what port is used and make the same basic cache poisoning attack effective again."
Users Cannot Detect SAD DNS Attacks
Detecting SAD DNS attacks is impossible for end users. The researchers note that "only your ISP or DNS providers can potentially detect it," for example, via an intrusion detection system. They add that it's not clear if this flaw has been previously exploited in the wild.
How widespread is the vulnerability? The researchers say their tests have found that 35% of open resolvers - meaning resolvers that anyone on the internet can use - are vulnerable to the attack. This include 85% of public resolvers - including such popular DNS services as Google’s 220.127.116.11 and CloudFlare’s 18.104.22.168. Also vulnerable are four out of six well-known router brands they tested. Those non-exhaustive tests found that four types of routers - from Arris, NETGEAR, TP-Link and Xiaomi - were vulnerable, while two other tested models, from Huawei and Verizon, were not.
"In theory, any DNS server running the newer version of popular operating systems without blocking outgoing ICMPs - only Windows blocks it by default - is also vulnerable," they say.
Fixes and Patches Appearing
The researchers say they reported the vulnerability to developers of affected systems months ago, and numerous fixes have been released.
The Linux kernel security team, for example, has developed a patch, released on Sept. 17, that they say "randomizes the ICMP global rate limit to introduce noises to the side channel." As a result, "the attackers no longer can get help from the predictable token bucket limiter," according to the patch release notes.
Other announced fixes include:
- Debian has released updated packages that fix the flaw;
- Red Hat has published mitigation advice that calls for disabling "ICMP port unreachable messages (or to disable outgoing ICMP replies altogether)";
- SUSE says it's "releasing kernel updates that remove the side-channel attack from the ICMP replies" for SUSE Linux Enterprise Server.
Effective Defense: DNSSEC
One long-recommended DNS security control - Domain Name System Security Extensions, aka DNSSEC - outright blocks any attempt to exploit this flaw, provided it is used in a certain manner.
"The server must implement strict DNSSEC checks - i.e., refuse the responses that break the trust chain - to prevent the off-path attacks," the researchers say.
Unfortunately, use of DNSSEC is not yet widespread.
"This attack is basically exploiting a Band-Aid that was applied to DNS resolvers."
— Ryan Davis, NS1
"This new exploitation is further evidence of the critical importance of DNSSEC as a basic DNS security measure and a need for widespread adoption," says NS1's Davis, who notes that DNS is a 35-year-old protocol that was never designed with security in mind.
"When DNSSEC is fully implemented and validation is enforced, it is a more effective method for preventing attacks, such as cache poisoning, which can compromise the integrity of answers to DNS queries," he tells Information Security Media Group. "This approach helps ensure DNS responses are legitimate by cryptographically signing DNS records to verify their authenticity."