[dns-operations] MaginotDNS: Attacking the boundary of DNS caching protection
Petr Špaček
pspacek at isc.org
Wed Sep 27 15:17:05 UTC 2023
On 27. 09. 23 9:38, Ralf Weber wrote:
> Moin!
>
> On 27 Sep 2023, at 3:58, Xiang Li wrote:
>
>> Hi Stephane,
>>
>> This is Xiang, the author of this paper.
>>
>> For the off-path attack, DoT can protect the CDNS from being poisoned.
>> For the on-path attack, since the forwarding query is sent to the
>> attacker's server, only DNSSEC can mitigate the MaginotDNS.
>
> I don’t think this is true otherwise all resolver implementations would
> have been affected and not just a few. If you are on path direct behind
> the resolver of course all bets are off, but if you are on path just
> between the resolver and the forwarder those resolvers that are more
> cautious in what cache information they use for iterative queries are not
> vulnerable.
>
> I guess that is why Akamai Cacheserve, NLNet Labs Unbound and PowerDNS
> Recursor are not mentioned in the paper because they were not vulnerable.
That's right.
If you are interested in the gory details, BIND's description of the
issue can be found here:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2950#note_241893
https://gitlab.isc.org/isc-projects/bind9/-/issues/2950#note_244624
Also the surrounding comments have more details including vulnerable
config files and PCAPs.
--
Petr Špaček
Internet Systems Consortium
More information about the dns-operations
mailing list