The Domain Name System (DNS) is key to the availability and correct operation of the Internet. Due to its significance it is also a lucrative target for attacks, most notably for cache poisoning. DNS cache-poisoning enables attackers to redirect clients to malicious hosts, allowing distribution of malware, credentials theft, phishing and spam, web sites defacement, and more.
Cryptographic defenses were designed (DNSSEC), but are not widely deployed; instead, multiple challenge-response defenses are used. However, we show how attackers may be able to circumvent those defenses and poison in spite of them; specifically:
- Circumvent source port randomisation, in the (common) case where the resolver connects to the Internet via different NAT devices.
- Circumvent IP address randomisation supported by standard-conforming resolvers.
- Circumvent query randomisation, including both randomisation by prepending a random nonce and case randomisation (0x20 encoding).
We present countermeasures preventing our attacks; however, we advocate that only correct adoption of cryptographic security such as DNSSEC, can prevent the cache-poisoning attacks, and discuss the challenges and status of DNSSEC deployment.
Joint work with Amir Herzberg.