The DNS Mess

This week the details of a major vulnerability in the software that runs the Domain Name System (DNS) were released to the public.  This occurred only a couple of weeks after software vendors released patches to fix the vulnerability.  This bug affects virtually every vendors’ DNS implementation including Microsoft, Cisco and ISC just to name a few.  The details of the bug have been discussed in many places, but the long and short of it is that any DNS server that allows recursive queries (which most of them do) is subject to a cache poisoning attack.

Whenever a DNS server receives a request to resolve a host name for a client, if it does not have it cached it will contact a root name server to find out which DNS server is authoritative for the domain being requested.  Once the DNS server has this information it will then query the authoritative name server for that domain to obtain the address of the server being requested (e.g. www.infosecstuff.com).  Finally, it will remember (cache) this information for a period of time in case it is requested again in the future.

The DNS vulnerability allows an attacker to make many requests to a recursive name server, spoof responses to that server so that they appear to come from a root name server and thus fool the server to add bogus information into its cache.  The attacker can inject his own DNS server as authoritative for any domain he chooses.  The attacked DNS server will then unwittingly provide this bogus information to clients when they request the address of hosts in the targeted domain(s).

What is the practical effect of this vulnerability?  An attacker could convince an ISP’s name server, for example, that the authoritative DNS server for bigbank.com is the attacker’s machine rather than the actual DNS server for bigbank.com.  Then when you attempt to access your bank account at www.bigbank.com, you will actually be sent to the hacker’s fake bank site (that look slike www.bigbank.com) where you will happily hand over your account credentials to the hacker.  You can guess what happens next.

There is not much that home users can do to protect themselves.  This is a problem for system and network administrators.  Fortunately, patches are available.  If you are responsible for a DNS server, install the patch immediately.  If you manage the IT staff at a company, make sure they have a plan to install the patch.  This is one you don’t want to put on the back burner.

No Responses to “The DNS Mess”

Trackbacks/Pingbacks

  1. Evilgrade Attacks Automatic Updates | InfoSecStuff - [...] week I wrote about the DNS cache poisoning vulnerability that affects nearly all vendors’ DNS implementations.  If you haven’t…