[dns-operations] MaginotDNS: Attacking the boundary of DNS caching protection

Xiang Li idealeer521 at gmail.com
Wed Sep 27 13:42:16 UTC 2023


Evening!

I don’t think this is true otherwise all resolver implementations would
> have been affected and not just a few. If you are on path direct behind
> the resolver of course all bets are off, but if you are on path just
> between the resolver and the forwarder those resolvers that are more
> cautious in what cache information they use for iterative queries are not
> vulnerable.
>

DoT could work if the attacker is between the server and the resolver.
However, if the attacker controls the target server, DoT just fails.

I guess that is why Akamai Cacheserve, NLNet Labs Unbound and PowerDNS
> Recursor are not mentioned in the paper because they were not vulnerable.
>

Sorry. Those software is not affected because they implemented
the bailiwick checking well as we explained in our paper instead of what
you said
 that they used DoT. That's what we found by performing our analysis and
testing.
We also tested Akamai Cacheserver after Akamai researchers reached out to
us.
Both their immune implementations and DNSSEC protected them well.

I agree that DNSSEC can fully mitigate it and should be used. Any
> encrypted transport to a forwarder also would work, but IMHO it probably
> would be better to not use forwarding at all.
>

Yes. DNSSEC will work.

Best,
Xiang

On Wed, Sep 27, 2023 at 3:39 PM Ralf Weber <dns at fl1ger.de> wrote:

> Moin!
>
> On 27 Sep 2023, at 3:58, Xiang Li wrote:
>
> > Hi Stephane,
> >
> > This is Xiang, the author of this paper.
> >
> > For the off-path attack, DoT can protect the CDNS from being poisoned.
> > For the on-path attack, since the forwarding query is sent to the
> > attacker's server, only DNSSEC can mitigate the MaginotDNS.
>
> I don’t think this is true otherwise all resolver implementations would
> have been affected and not just a few. If you are on path direct behind
> the resolver of course all bets are off, but if you are on path just
> between the resolver and the forwarder those resolvers that are more
> cautious in what cache information they use for iterative queries are not
> vulnerable.
>
> I guess that is why Akamai Cacheserve, NLNet Labs Unbound and PowerDNS
> Recursor are not mentioned in the paper because they were not vulnerable.
>
> I agree that DNSSEC can fully mitigate it and should be used. Any
> encrypted transport to a forwarder also would work, but IMHO it probably
> would be better to not use forwarding at all.
>
> So long
> -Ralf
> ——-
> Ralf Weber
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230927/fa9a85d8/attachment.html>


More information about the dns-operations mailing list