[dns-operations] new DNS forwarder vulnerability

David Dagon dagon at sudo.sh
Fri Mar 14 18:05:36 UTC 2014

On Fri, Mar 14, 2014 at 09:45:25AM -0400, Mark Allman wrote:

>   - We have found 7--9% of the open resolver population---or 2-3 million
>     boxes---to be vulnerable to this cache poisoning attack.  (The
>     variance is from different runs of our experiments.)

I've noted that ~30% of the open recursives have diurnal properties
(if not dhcp churn as well), and much of this comes from hosts running
RomPager firmware (likely CPE devices or captive portals).  So this
fits your 7-9% number.

Much of the open rec scanning efforts I observe do daily checks, and
would therefore miss some portion of the population (perhaps the 30%
upper limit I've noted).  If you're still actively scanning we might
compare notes, or I could provide you trace feeds from my ongoing dns
speaker lists.

The paper's very interesting and well done.

I'm worried there's no feasible "notice/wait" period for vendor fixes,
usually found in software vulnerabilities.  It might be that commodity
CPE issues are addressed only at the ISP network level, and I commend
you to look at solutions in that space.  Generally some 1-2% of ISP
traffic is off-path DNS already, and your paper (plus the lack of an
update path) suggests the need for network owner assistance in
detecting poisoning.   

David Dagon
dagon at sudo.sh
D970 6D9E E500 E877 B1E3  D3F8 5937 48DC 0FDC E717

More information about the dns-operations mailing list