In 2008 the poisoning of the Domain Name System (DNS) server cache was a major headache. However, DNS servers strengthened their security, and attacks of this type were reduced to such an extent that they were very rare. However, in this year 2020 they have had a very important rebound where they have acquired quite a significant relevance with the new SAD DNS attack. Do you want to know all about this new DNS cache poisoning attack?
The UC Riverside investigation
Researchers at the University of California at Riverside have discovered a new way to attack DNS, this new attack is focused on poisoning the Domain Name System (DNS) server cache. This new attack has been known as SAD DNS, and it is a serious security problem that the large DNS providers are already beginning to solve. In 2008, attacks of this type were carried out using spoofed IP addresses, that is, false IP addresses of origin, in this way cybercriminals could redirect our web browser from the secure website that we had written in our address bar, to another fake infected with malware or directly was phishing. This problem was fixed in all DNS server softwares,
Next, we will briefly explain how a DNS works, and then proceed to discuss SAD DNS, the new DNS poisoning attack.
How a DNS server works
DNS stands for Domain Name System and comes from the English acronym Domain Name System. The DNS servers are responsible for translating the domain name that we enter in the address bar of our browser, into the corresponding IP address to reach the web server that has said web page that we are looking for.
Those websites that we want to access are hosted on web servers with a specific public IP. When we write the name of that website, the DNS server is in charge of offering us this IP that we need. For example, if we write in our browser in the address bar 216.58.210.163 we will load the Google website. In summary, these DNS servers are responsible for translating what we write in text mode to an IP address. This is done in this way, because names are easier to remember than numbers.
Attacks using SAD DNS
Researchers have found a side channel attack that can be used successfully against the most popular DNS software, this is none other than SAD DNS . Vulnerable softwares include BIND, Unbound and dnsmasq, which are widely used in Linux and other operating systems. An important fact is that the greatest vulnerability appears when the operating system and the DNS server network are configured to allow ICMP error messages.
The attack begins when the cybercriminal uses a vulnerability to spoof IP addresses, and a computer is able to trigger a request for a DNS forwarder or resolver. Forwarders are the ones that help figure out where DNS requests are sent. The researchers then used an affiliate network channel other than the main ones used in DNS requests. They then determined the source port number by keeping the channel open long enough to run 1000 attempts per second until they found the correct one. Finally, with the non-random source port, the researchers inserted a malicious IP address and the attack was successful.
In the study, they found that more than 34% of today’s DNS servers are vulnerable to attack. However, a worrying fact is that 85% of the most popular free public DNS services are exposed to receive these types of attacks. If we want to check if we are exposed to an attack of this kind, we can do so by going to the Sad DNS website and then following its instructions.
SAD DNS Attack Prevention
Modern defense measures like DANE and DNSSEC have largely stopped DNS cache poisoning. However, the problem is that these DNS security methods have never been sufficiently implemented, so these types of attacks are still being carried out. Currently, we already have ways to stop these attacks, one of them would be with DNSSEC . However, the problem is that it is not yet sufficiently implemented. Another method that we could use that could also be useful would be to use the DNS cookie RFC 7873 .
On the other hand, the simplest mitigation is to not allow outgoing ICMP responses entirely. However, this has some detriment as we would lose some network troubleshooting and diagnostic functions. Finally, to avoid attacks with SAD DNS, the ideal thing would be for the servers to implement DNSSEC as soon as possible . We also recommend that you go directly to the explanation of Cloudflare’s SAD DNS .
