Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New DNS Spoofing Technique: Why we haven't covered it. - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New DNS Spoofing Technique: Why we haven't covered it.

The last couple of days, a lot of readers sent us links to articles proclaiming yet another new flaw in DNS. "Critical Vulnerability in BIND Software Puts DNS Protocol Security At Risk" [1] claimed one article, going forward to state: "The students have found a way to compel DNS servers to connect with a specific server controlled by the attacker that could respond with a false IP address. ??

So how bad is this really?

First of all, here is a the "TL;DR;" version of the vulnerability:

A domain usually uses several authoritative DNS servers. A recursive DNS server resolving a domain will pick a "random" authoritative DNS server for this particular domain. The real question is: How random? Actually as it turns out, it isn't random at all, and this is a features. BIND attempts to use the fastest name server, and has a special algorithm ( Smoothed Round Trip Time or SSRT algorithm) to figure out which server to use. 

The vulnerability found here allows an attacker to influence the SSRT values in order to direct the name server to use a specific authoritative name server for a domain.

So the result is that the attacker can determine which authoritative name server is being used. BUT it has to be among the set of valid authoritative name servers. The attacker can not redirect the queries to an arbitrary name server of the attackers choosing.

So how does this make DNS spoofing easier?

The attacker has to guess three variables in order to spoof a DNS response:

  1. the query id (1/65535)
  2. the source port (theoretically 1/65535, but in most implementations more like 1/5000).
  3. the name server IP (average 1/4) 

By pinning the name server IP, the attacker will only gain a marginal advantage. The issue may be more of a problem if one of the servers is compromised. But in this case, DNS spoofing isn't really your #1 priority.

Without DNSSEC, DNS spoofing is certainly possible, and this attacks makes it a bit more likely. But this attack is hardly a game changer and only provides a minor advantage to the attacker. 

What should you do?

Relax... finish your coffee... read up on DNSSEC and apply BIND patches as they become available (because it is always good to patch.)

Also the original presentation/paper is available as well and a lot better then some of the news reports covering it.

How hard is it to implement DNSSEC? It isn't trivial, but more recent versions of BIND make it a lot easier by automating some of the re-signing tasks. It is easiest if your registrar supports it and you host your zones with them. For example the registrar I host a couple of my domains with automates the entire process for about $5/year. 

[1] http://thehackernews.com/2014/05/critical-vulnerability-in-bind-software.html
[2] https://www.usenix.org/conference/woot13/workshop-program/presentation/hay

We also had another recent article covering some new DNS spoofing techniques:

New tricks that may bring DNS spoofing back or: "Why you should enable DNSSEC even if it is a pain to do"

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019

Johannes

3627 Posts
ISC Handler
ISC appears to have issued a response to the reported articles on this vulnerability:

<https://lists.isc.org/pipermail/bind-users/2014-May/093141.html>
Anonymous

Sign Up for Free or Log In to start participating in the conversation!