[dns-operations] Spoofing DNS with fragments

Mukund Sivaraman muks at mukund.org
Thu Sep 13 06:01:30 UTC 2018

Hi Bert

On Mon, Sep 10, 2018 at 10:49:25PM +0200, bert hubert wrote:
> Hi everyone,
> Interrupting my rants against DNS over HTTPs centralized DNS for a bit, I
> wrote up this piece https://blog.powerdns.com/2018/09/10/spoofing-dns-with-fragments/
> on the research by Haya Shulman and her team on spoofing DNS with fragments.
> In October they will present about this over at ACM Conference on Computer and Communications
> Security. 
> The team has done a demo of the technique for The Register journalist Richard
> Chirgwin, so it likely is possible to do under at least somewhat real life
> conditions. 

Going back to the drawing board:

Have anyone seen a reproducible published method using the technique,
that can be recreated in non-controlled conditions such as on the public
internet? As far as I can gather from the Register article, they've seen
a paper.

I am asking because this author is known to us from a previous paper
making claims that could not be reproduced. In the recent years, a paper
was forwarded to us (at my previous employer) that claimed of various
CNAME chain and additional section based poisoning and claimed that a
variety of DNS implementations were found vulnerable including BIND. We
could not test other implementations, but we did check the author's
claims and didn't find BIND vulnerable to any of the recipes provided in
the paper.


(No CVEs or any bugfixes were released for any of the several claims in
the paper, because we couldn't reproduce any of them.)

IP fragmentation attack is neither new nor is it for DNS - the same
author has published "Fragmentation Considered Poisonous", which
influenced me to prepare the EDNS CHECKSUM draft against any
fragmentation attacks. But some time after writing that draft, I did not
feel that the attack was practical in a real-life public internet
scenario at that time. If the attacks described in that previous paper
were performable, surely they'd have been used and we'd be aware of

Perhaps this has changed, and we should have an open mind for each
vulnerability report, but I'd like to see a clear reproducible (by us)
recipe in a non-controlled situation, such as poisoning a public or 3rd
party DNS resolver (CA's resolver should be fine) for an answer from a
well-known 3rd party zone such as ISC.ORG.


More information about the dns-operations mailing list