Another reason you should implement DNSSEC now

Researchers from the University of California and Tsinghua University in China have published discovery of a new form of DNS cache poisoning attack. This form of attack leverages "side channels" through use of the Internet Control Message Protocol (ICMP) to improve the likelihood of attack success by identifying the subset of source UDP ports actually used by a recursive server when issuing queries. Confining this pool of randomized ports helps reduce the universe of port numbers the attacker can try when attempting to emulate a proper query response. 

Source port and DNS transaction identifier randomization has been the recommended mitigation approaches against cache poisoning attacks, even for more nefarious Kaminsky-discovered attacks. However, this use of side channels reduces the robustness of source port randomization mitigation. Of course, DNS security extensions (DNSSEC) remains the only definitive means to mitigate cache poisoning attacks, including this new variant. 

But let's start at the beginning: DNS resolvers, forwarders and recursive servers (generally "resolvers") maintain a cache of resolved resource records to improve name resolution performance by obviating repeated lookups for information recently queried. If an attacker succeeds in corrupting a resolver's cache, the corrupted information may be provided to several users requesting the same or similar domain name information. Corrupting the cache requires an attacker to provide a seemingly legitimate query answer albeit with falsified resolution information in part or in total.

These types of attacks are generally conducted as shown in the figure below where an attacker appears to the recursive server as the legitimate authoritative server to which it issued the query. In the various forms of this attack, ultimately the attacker attempts to corrupt the cache of the recursive DNS server, e.g., by pointing the resolution of a legitimate and even popular web or server address to a server operated by the attacker. The falsified resolution data is returned to the originator of the query and is also returned to other resolvers querying for this information while the corrupted information resides in cache, i.e., for the duration of the TTL. This has the effect of hijacking potentially several resolvers and hence applications to incorrect destinations, e.g., web sites.


To corrupt the cache, the DNS query response from the attacker must reach the server before the legitimate response and map to an outstanding query for which the recursive server is awaiting a response. The server will map a received answer to a previously issued query by matching the following fields in the response:

  • The source IP address of the response maps to the destination IP address of the query and the destination IP address matches the address of this server.
  • The destination port of the response with the source port of the query and the answer’s source port is 53.
  • The DNS transaction ID within the DNS header matches on both the query and the response
  • The DNS Qname, Qclass and Qtype in the question section matches on both the query and the response.
  • The domain names in the Authority and Additional sections of the response must fall within the same domain branch as the Qname. This is known as the bailiwick check.

The DNS server will accept the first matching answer it receives, cache it and respond to the querying user. If the attacker can match the parameters with an answer that arrives before the legitimate answer from the authoritative name server, he or she will have succeeded in poisoning the cache with an answer that will be provided to other clients querying similar information. As mentioned in the opening, this side channel attack helps reduce the span of candidate UDP ports used by the resolver, and therefore reduces the number of unique parameter combinations an attacker must use to guess correctly.

You can turn off ICMP, reduce query timeouts, even use qname case checking, but the only definitive solution to this attack is DNSSEC. When responses are signed and the resolver validates the signature using the DNSSEC chain of trust, the resolver is assured that the response was published by the authoritative zone operator and that the response was not modified en route. And these days, implementing DNSSEC validation is really easy. In fact, most commercial distributions of DNS recursive servers support DNSSEC validation out of the box. This includes provision of the root zone public key and support for automated detection and updating of changed root keys. Such automation provides virtually hands-free implementation and ongoing maintenance of DNSSEC validation. 

Of course, your recursive servers can only validate DNSSEC-signed resolution data, and herein lies the rub. Unfortunately, while 85% of US government zones are signed, only 7% of university zones and about 4% of industry zones are signed according to NIST estimates. Thus, the majority of non-US government zones remains unsigned as of today. In terms of DNSSEC validating resolvers, APNIC measurements indicate about 25% of DNS resolvers support DNSSEC validation. 

While signing zones is more complicated than validating signatures, at least in terms of implementation and management, the process has gotten a lot easier for most leading implementations. Many implementations support automated key generation and rollover but often some manual intervention is required, especially when rolling key signing keys (KSKs). Even fully automated authoritative signing servers including BT's require some effort to link the chain of trust, though support of CDS and CDNSKEY records by both parent and child can help automate this process as well. 

To learn more about this attack, what defenses you can deploy, how DNSSEC can help and even how BT's solutions can help ease implementation, please contact me via email or comment.

Comments

Post a Comment

Popular posts from this blog

Handy AAAA filter in BIND 9.8

The ISC introduced a pair of new configuration file options in BIND 9.8 to enable administrators to easily filter who may receive AAAA record type responses even if valid responses exist. For example, clients on subnets that do not have IPv6 network access can be excluded from receiving affirmative answers for AAAA queries. This feature provides simpler administration than the alternative mechanism using views. The first option, filter-aaaa-on-v4,defines whether the server will return AAAA records to certain clients. Such clients are defined by the address match list parameter of the second option, filter-aaaa. Note that BIND must be compiled with the --enable-filter-aaaa option on the configure command line to enable AAAA filtering. The syntax of these options is as follows: filter-aaaa-on-v4 (yes | no | break-dnssec) ; filter-aaaa {addr_match_list;} ; The filter-aaaa option identifies the address match list for which the filter-aaaa-on-v4 option is to be applied as described ...
Read more

Inglorious DDI

We all know how critical DHCP/DNS/IPAM (DDI) services are. Your network cannot function without them. But like most foundational elements of anything, they are certainly not glamorous...like good luck finding a home designer who specializes in home foundations. I would not be shocked should HGTV pass on my brilliant concept for a foundation building show. I suppose most people would find a show detailing footing depths and concrete pouring techniques rather boring.  Nevertheless, there are countless shows for redesigning and remodeling homes. On most episodes the foundation is out of sight, out of mind. If it's stable, no one wants to pay it attention, they just expect it to keep doing its job, supporting the structure. Once in a while a foundational issue is brought up that unexpectedly threatens to raise the budget to heighten the drama. All work stops until the issue is addressed. And you'll notice that the owner never denies paying the extra amount to fix the issue. ...
Read more

BIND 9.8.0 Adds DNS64 Support - Part 2 - How is it configured?

BIND 9.8.0 introduced a new dns64 option statement that can be configured within the server named.conf options block or within a view options block. Recall from a prior post that DNS64 configures a recursive DNS server to issue A record queries on behalf of a client requesting AAAA records, then appends the returned IPv4 address to a defined IPv6 prefix. This manufactured IPv6 address enables the querying host to connect to a NAT64 gateway which will terminate the IPv6 connection from the client and map it to an outbound IPv4 connection to the appended IPv4 address, completing the connection! Whew! BIND offers a number of useful parameters within the dns64 statement to control this process. The statement syntax is: dns64 IPv6_prefix { [clients {address_match_list };] [mapped {address_match_list };] [exclude {address_match_list };] [suffix IPv6_addr;] [recursive-only (yes|no);] [break-dnssec (yes|no);] }; The IPv6_prefix parameter is the prefix to which returned...
Read more