Advertisement

Vulnerable Delegation of DNS Resolution

  • Amir Herzberg
  • Haya Shulman
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8134)

Abstract

A growing number of networks delegate their DNS resolution to trusted upstream resolvers. The communication to and from the upstream resolver is invisible to off-path attackers. Hence, such delegation is considered to improve the resilience of the resolvers to cache-poisoning and DoS attacks, and also to provide other security, performance, reliability and management advantages.

We show that, merely relying on an upstream resolver for security may in fact result in vulnerability to DNS poisoning and DoS attacks. The attack proceeds in modular steps: detecting delegation of DNS resolution, discovering the IP address of the internal (proxy) resolver, discovering the source port used for the (victim) DNS request and then completing the attack. The steps of the attack can be of independent use, e.g., proxy resolver can be exposed to denial of service attacks once its IP address is discovered.

We provide recommendations for securing the DNS service delegation, to avoid these vulnerabilities.

Keywords

network security DNS cache poisoning port randomization 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Akamai: Enchanced DNS (eDNS) (April 2013), http://www.akamai.com/html/solutions/enhanced_dns.html
  2. 2.
    Gudmundsson, O., Crocker, S.D.: Observing DNSSEC Validation in the Wild. In: SATIN (March 2011)Google Scholar
  3. 3.
    Kaminsky, D.: Dan Kaminsky’s Blog, http://dankaminsky.com/2008/07/21/130/
  4. 4.
    Kaminsky, D.: It’s the End of the Cache As We Know It. In: Black Hat Conference (August 2008), http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Kaminsky/BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdf
  5. 5.
    Dagon, D., Provos, N., Lee, C.P., Lee, W.: Corrupted DNS resolution paths: The rise of a malicious resolution authority. In: NDSS. The Internet Society (2008)Google Scholar
  6. 6.
    Gibson Research Corporation: DNS Nameserver Spoofability Test (2012), https://www.grc.com/dns/dns.htm
  7. 7.
    DNS-OARC: Domain Name System Operations Analysis and Research Center (2008), https://www.dns-oarc.net/oarc/services/porttest
  8. 8.
  9. 9.
    CAIDA: Anonymized Internet Traces 2012 Dataset (2012), http://www.caida.org/data/passive/passive_2012_dataset.xml
  10. 10.
    Antonatos, S., Akritidis, P., Lam, V.T., Anagnostakis, K.G.: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure. ACM Transactions on Information and System Security 12(2), 12:1–12:15 (2008)Google Scholar
  11. 11.
    Herzberg, A., Shulman, H.: Unilateral Antidotes to DNS Cache Poisoning. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds.) SecureComm 2011. LNICST, vol. 96, pp. 319–336. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  12. 12.
    Klein, A.: BIND 9 DNS cache poisoning. Report, Trusteer, Ltd., Israel (2007)Google Scholar
  13. 13.
    Vixie, P.: DNS and BIND security issues. In: Proceedings of the 5th Symposium on UNIX Security, pp. 209–216. USENIX Association, Berkeley (1995)Google Scholar
  14. 14.
    Bernstein, D.J.: DNS Forgery (November 2002), Internet publication at http://cr.yp.to/djbdns/forgery.html
  15. 15.
    Herzberg, A., Shulman, H.: Security of Patched DNS. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 271–288. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  16. 16.
    Herzberg, A., Shulman, H.: Fragmentation Considered Poisonous: or one-domain-to-rule-them-all.org. In: IEEE CNS 2013, The Conference on Communications and Network Security (2013)Google Scholar
  17. 17.
    Herzberg, A., Shulman, H.: Antidotes for DNS Poisoning by Off-Path Adversaries. In: International Conference on Availability, Reliability and Security (ARES), pp. 262–267. IEEE, IEEE Computer Society (2012)Google Scholar
  18. 18.
    Herzberg, A., Shulman, H.: Vulnerable Delegation of DNS Resolution. Technical Report 13-05, Bar Ilan University, Network security group (April 2013)Google Scholar
  19. 19.
    Kernel.org: Linux Kernel Documentation (2011), http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
  20. 20.
    Gilad, Y., Herzberg, A.: Fragmentation Considered Vulnerable: Blindly Intercepting and Discarding Fragments. In: Proc. USENIX Workshop on Offensive Technologies (August 2011)Google Scholar
  21. 21.
    Gont, F.: Security Implications of Predictable Fragment Identification Values. Internet-Draft of the IETF IPv6 maintenance Working Group (6man) (March 2012) (Expires September 30, 2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Amir Herzberg
    • 1
  • Haya Shulman
    • 2
  1. 1.Computer Science DepartmentBar Ilan UniversityRamat GanIsrael
  2. 2.Fachbereich InformatikTechnische Universität Darmstadt/EC-SPRIDEDarmstadtGermany

Personalised recommendations