Abstract
A growing number of networks delegate their DNS resolution to trusted upstream resolvers. The communication to and from the upstream resolver is invisible to off-path attackers. Hence, such delegation is considered to improve the resilience of the resolvers to cache-poisoning and DoS attacks, and also to provide other security, performance, reliability and management advantages.
We show that, merely relying on an upstream resolver for security may in fact result in vulnerability to DNS poisoning and DoS attacks. The attack proceeds in modular steps: detecting delegation of DNS resolution, discovering the IP address of the internal (proxy) resolver, discovering the source port used for the (victim) DNS request and then completing the attack. The steps of the attack can be of independent use, e.g., proxy resolver can be exposed to denial of service attacks once its IP address is discovered.
We provide recommendations for securing the DNS service delegation, to avoid these vulnerabilities.
Chapter PDF
Similar content being viewed by others
References
Akamai: Enchanced DNS (eDNS) (April 2013), http://www.akamai.com/html/solutions/enhanced_dns.html
Gudmundsson, O., Crocker, S.D.: Observing DNSSEC Validation in the Wild. In: SATIN (March 2011)
Kaminsky, D.: Dan Kaminsky’s Blog, http://dankaminsky.com/2008/07/21/130/
Kaminsky, D.: It’s the End of the Cache As We Know It. In: Black Hat Conference (August 2008), http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Kaminsky/BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdf
Dagon, D., Provos, N., Lee, C.P., Lee, W.: Corrupted DNS resolution paths: The rise of a malicious resolution authority. In: NDSS. The Internet Society (2008)
Gibson Research Corporation: DNS Nameserver Spoofability Test (2012), https://www.grc.com/dns/dns.htm
DNS-OARC: Domain Name System Operations Analysis and Research Center (2008), https://www.dns-oarc.net/oarc/services/porttest
Provos, N.: DNS Testing Image (July 2008), http://www.provos.org/index.php?/archives/43-DNS-Testing-Image.html
CAIDA: Anonymized Internet Traces 2012 Dataset (2012), http://www.caida.org/data/passive/passive_2012_dataset.xml
Antonatos, S., Akritidis, P., Lam, V.T., Anagnostakis, K.G.: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure. ACM Transactions on Information and System Security 12(2), 12:1–12:15 (2008)
Herzberg, A., Shulman, H.: Unilateral Antidotes to DNS Cache Poisoning. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds.) SecureComm 2011. LNICST, vol. 96, pp. 319–336. Springer, Heidelberg (2012)
Klein, A.: BIND 9 DNS cache poisoning. Report, Trusteer, Ltd., Israel (2007)
Vixie, P.: DNS and BIND security issues. In: Proceedings of the 5th Symposium on UNIX Security, pp. 209–216. USENIX Association, Berkeley (1995)
Bernstein, D.J.: DNS Forgery (November 2002), Internet publication at http://cr.yp.to/djbdns/forgery.html
Herzberg, A., Shulman, H.: Security of Patched DNS. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 271–288. Springer, Heidelberg (2012)
Herzberg, A., Shulman, H.: Fragmentation Considered Poisonous: or one-domain-to-rule-them-all.org. In: IEEE CNS 2013, The Conference on Communications and Network Security (2013)
Herzberg, A., Shulman, H.: Antidotes for DNS Poisoning by Off-Path Adversaries. In: International Conference on Availability, Reliability and Security (ARES), pp. 262–267. IEEE, IEEE Computer Society (2012)
Herzberg, A., Shulman, H.: Vulnerable Delegation of DNS Resolution. Technical Report 13-05, Bar Ilan University, Network security group (April 2013)
Kernel.org: Linux Kernel Documentation (2011), http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
Gilad, Y., Herzberg, A.: Fragmentation Considered Vulnerable: Blindly Intercepting and Discarding Fragments. In: Proc. USENIX Workshop on Offensive Technologies (August 2011)
Gont, F.: Security Implications of Predictable Fragment Identification Values. Internet-Draft of the IETF IPv6 maintenance Working Group (6man) (March 2012) (Expires September 30, 2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Herzberg, A., Shulman, H. (2013). Vulnerable Delegation of DNS Resolution. In: Crampton, J., Jajodia, S., Mayes, K. (eds) Computer Security – ESORICS 2013. ESORICS 2013. Lecture Notes in Computer Science, vol 8134. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40203-6_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-40203-6_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40202-9
Online ISBN: 978-3-642-40203-6
eBook Packages: Computer ScienceComputer Science (R0)