[dns-operations] new DNS forwarder vulnerability

Mark Allman mallman at icir.org
Fri Mar 14 13:45:25 UTC 2014

Just a quick note to let folks know about a new vulnerability we have
found in some low-rent DNS forwarders---which we have been calling the
'preplay attack'.

The finding is that when the vulnerable open resolvers receive a DNS
response they just look at the query string in the response to see if
they have a request for the given string outstanding.  If they do, they
accept the result.  I.e., there is no validating of the source IP, port
numbers or DNS transaction ID in the response.  Dumb.  This makes
poisoning the caches of these boxes trivial (i.e., send a request for
www.facebook.com and then immediately send an answer).

A few notes ...

  - We have found 7--9% of the open resolver population---or 2-3 million
    boxes---to be vulnerable to this cache poisoning attack.  (The
    variance is from different runs of our experiments.)

  - We have not been able to nail this vulnerability down to a single
    box or manufacturer.  To the contrary our efforts at identifying the
    boxes indicates it crosses such boundaries.  (However, these boxes
    do seem to be largely situated in residential settings.)

  - We presented these results at PAM earlier this week.  Our paper,
    slides, etc. with details of the attack (and results about
    previously known DNS attacks) are available here:


  - We did give CERT a heads up about this before the paper appeared and
    they kibitzed the information around to various manufacturers of
    this sort of gear.

My mental model is that this sort of gear is upgraded when it goes
kaput.  So, vigilance I guess.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140314/79a0d90d/attachment.sig>

More information about the dns-operations mailing list