The Maginot Line: Attacking the Boundary of DNS Caching Protection

Abstract

In this paper, we report MaginotDNS, a powerful cache poisoning attack against DNS servers that simultaneously act as recursive resolvers and forwarders (termed as CDNS). The attack is made possible through exploiting vulnerabilities in the bailiwick checking algorithms, one of the cornerstones of DNS security since the 1990s, and affects multiple versions of popular DNS software, including BIND and Microsoft DNS. Through field tests, we find that the attack is potent, allowing attackers to take over entire DNS zones, even including Top-Level Domains (e.g., .com and .net). Through a large-scale measurement study, we also confirm the extensive usage of CDNSes in real-world networks (up to 41.8% of our probed open DNS servers) and find that at least 35.5% of all CDNSes are vulnerable to MaginotDNS. After interviews with ISPs, we show a wide range of CDNS use cases and real-world attacks. We have reported all the discovered vulnerabilities to DNS software vendors and received acknowledgments from all of them. 3 CVE-ids have been published, and 2 vendors have fixed their software. Our study brings attention to the implementation inconsistency of security checking logic in different DNS software and server modes (i.e., recursive resolvers and forwarders), and we call for standardization and agreements among software vendors.

Publication
In Proceedings of the 32nd USENIX Security Symposium.
Anaheim, CA, USA. Aug 9-11, 2023.
(Acceptance rate: 29.2%)

Overview

In this paper, we report MaginotDNS, a powerful cache poisoning attack against DNS servers that simultaneously act as recursive resolvers and forwarders (termed as CDNS).

MaginotDNS: https://maginotdns.net/

CVEs (9 in total)

  • Knot Resolver: CVE-2022-30250, CVE-2022-30251
  • PowerDNS Recursor: CVE-2022-30252
  • Simple DNS Plus: CVE-2022-30254
  • MaraDNS: CVE-2022-30256
  • Technitium: CVE-2022-30257, CVE-2022-30258
  • Unbound: CVE-2022-30698, CVE-2022-30699
  • Qifan Zhang
    Qifan Zhang
    Ph.D. candidate

    Qifan Zhang (张起帆) is now a 5th- and final-year Ph.D. candidate in Department of Electrical Engineering & Computer Science of University of California, Irvine with focus on Computer Security, advised by Prof. Zhou Li. His research interests include Network Security, especially Domain Name System (DNS), and Machine Learning Security and Privacy. Before that, he received his B.Eng. degree in Computer Science and Technology from ShanghaiTech University in 2020, with an interim summer session in University of California, Berkeley in 2017.

    Pronunciation of his name: Chee-Fan Jang.
    His Curriculum Vitae (last updated on Aug 26, 2024)