Researchers Uncover Potent ‘MaginotDNS’ Cache Poisoning Attack Targeting CDNS Resolvers
A pioneering team of experts hailing from UC Irvine and Tsinghua University has unveiled an influential cache poisoning assault dubbed ‘MaginotDNS,’ adeptly directed towards Conditional DNS (CDNS) resolvers. This innovative attack has the potential to compromise entire top-level domains (TLDs), signaling a significant security vulnerability.
The exploit capitalizes on inconsistencies in the implementation of security protocols within various DNS software and server modes, encompassing recursive resolvers and forwarders. Astonishingly, this gap in protection leaves nearly one-third of all CDNS servers exposed to potential breaches.
The unveiling of this attack transpired during the recent Black Hat 2023 conference, where the researchers shared their findings and proposed solutions that have subsequently been implemented at the software level.
DNS (Domain Name System) operates as a hierarchical, widely dispersed naming framework facilitating the translation of human-readable domain names into numerical IP addresses, thereby facilitating network connections.
In effectuating DNS resolution, a blend of UDP, TCP, and DNSSEC is employed for inquiries and responses. This process, often involving iterative and recursive steps, necessitates interactions with root servers, TLD servers, authoritative servers, and caching records, ultimately aiding in network navigation.
The concept of DNS cache poisoning revolves around injecting falsified responses into a DNS resolver’s cache, diverting users towards incorrect IP addresses. This maneuver potentially exposes them to malicious websites without their awareness.
Historically, several cache poisoning attacks have been demonstrated, including the Kashpureff Attack of 1997, which exploited data verification gaps, and the Kaminsky Attack of 2008, capitalizing on the absence of a source port randomization mechanism.
Countermeasures were subsequently introduced into resolver implementations, rendering off-path attacks arduous to execute. However, the ‘MaginotDNS’ assault breaks new ground by effectively targeting the forwarding mode of CDNS, regardless of its on-path or off-path orientation.
The Mechanics of the MaginotDNS Attack
CDNS resolvers encompass both recursive and forwarding query modes, pivotal for cost-saving measures and improved access control by ISPs and enterprises.
Intriguingly, the research team detected that while bailiwick checks are robustly enforced in the recursive mode, vulnerabilities emerge in the forwarder setting. Since both modes share the same global DNS cache, a successful attack on the forwarder mode could potentially compromise the recursive mode, undermining the protection boundary of the DNS cache.
The researchers meticulously scrutinized well-known DNS software and identified inconsistencies in bailiwick checking. Among the affected software were BIND9 (CVE-2021-25220), Knot Resolver (CVE-2022-32983), Microsoft DNS, and Technitium (CVE-2021-43105). Alarming misconfigurations treating all records as if under the root domain were also brought to light.
During their Black Hat presentation, the researchers vividly demonstrated both on-path and off-path attack scenarios, with the latter being more intricate yet significantly more valuable for potential threat actors.
Executing these attacks necessitates predicting the source port and transaction ID utilized by the target’s recursive DNS servers during request generation. Subsequently, a malicious DNS server sends counterfeit responses with accurate parameters, a process facilitated through brute force or SADDNS (side-channel attacked DNS).
Discerning the source port and transaction IDs via SADDNS
For BIND9, the acquisition of both parameters requires approximately 3,600 query rounds, while Microsoft DNS attains this information in 720 rounds.
To bolster the likelihood of success, attackers must manipulate the timing of malicious DNS responses to ensure their forged response reaches the victim’s server ahead of the authentic one.
Vulnerability Assessment and Remediation
Conducting an extensive internet scan, the researchers identified a staggering 1,200,000 DNS resolvers, with 154,955 designated as CDNS servers. Employing software fingerprints to pinpoint vulnerable versions, they pinpointed 54,949 susceptible CDNS servers, all liable to on-path assaults. Remarkably, 88.3% of these servers are susceptible to off-path attacks.
To address these vulnerabilities, the implicated software vendors have diligently addressed and rectified the flaws. Microsoft, in recognition of the researchers’ efforts, even rewarded them with a bounty for their comprehensive report.
However, the effective mitigation of these concerns necessitates the proactive application of patches and adherence to configuration guidelines from the software vendors by CDNS administrators.