LIM Center, Aleje Jerozolimskie 65/79, 00-697 Warsaw, Poland
+48 (22) 364 58 00

New Cache Poisoning Attack Can Compromise Top-Level Domains

New Cache Poisoning Attack Can Compromise Top-Level Domains

New Cache Poisoning Attack Can Compromise Top-Level Domains

A team of researchers from UC Irvine and Tsinghua University have developed a powerful cache poisoning attack called ‘MaginotDNS’ that targets Conditional DNS (CDNS) resolvers. This attack has the potential to compromise entire top-level domains (TLDs).

The attack takes advantage of inconsistencies in implementing security checks in different DNS software and server modes, leaving around one-third of all CDNS servers vulnerable. The researchers presented their findings at Black Hat 2023 and have since remediated the identified issues at the software level.

DNS cache poisoning involves injecting forged answers into the DNS resolver cache, which can lead users to incorrect IP addresses and potentially malicious websites without their knowledge. Previous attacks of this nature have been mitigated through the implementation of defenses in resolvers.

However, the ‘MaginotDNS’ attack overcomes these defenses by targeting the forwarding mode of CDNS in both on-path and off-path scenarios. The researchers found that while bailiwick checks are adequately enforced in recursive mode, they are vulnerable in the forwarder mode. As both modes share the same global DNS cache, breaching the forwarder mode can break the DNS cache protection boundary and compromise the recursive mode.

Inconsistencies in bailiwick checking were identified in prominent DNS software, including BIND9, Knot Resolver, Microsoft DNS, and Technitium. Some configurations treated all records as if they were under the root domain, making them highly vulnerable.

The researchers demonstrated both on-path and off-path attacks during their presentation. Off-path attacks are more complicated but also more valuable for threat actors, requiring the prediction of source ports and transaction IDs used by the target’s recursive DNS servers. Inferring these parameters can be done through brute forcing or using side-channel attacks.

The researchers conducted an internet scan and discovered 154,955 vulnerable CDNS servers out of 1,200,000 DNS resolvers. Vulnerable versions were identified using software fingerprints, and the affected software vendors have since confirmed and fixed the flaws.

To fully mitigate the issues, CDNS administrators must apply the patches and follow configuration guidelines provided by the vendors.