ResolverFuzz: Automated Discovery of DNS Resolver Vulnerabilities with Query-Response Fuzzing

Abstract

Domain Name System (DNS) is a critical component of the Internet. DNS resolvers, which act as the cache between DNS clients and DNS nameservers, are the central piece of the DNS infrastructure, essential to the scalability of DNS. However, finding the resolver vulnerabilities is non-trivial, and this problem is not well addressed by the existing tools. To list a few reasons, first, most of the known resolver vulnerabilities are non-crash bugs that cannot be directly detected by the existing oracles (or sanitizers). Second, there lacks rigorous specifications to be used as references to classify a test case as a resolver bug. Third, DNS resolvers are stateful, and stateful fuzzing is still challenging due to the large input space.

In this paper, we present a new fuzzing system termed ResolverFuzz to address the aforementioned challenges related to DNS resolvers, with a suite of new techniques being developed. First, ResolverFuzz performs constrained stateful fuzzing by focusing on the short query-response sequence, which has been demonstrated as the most effective way to find resolver bugs, based on our study of the published DNS CVEs. Second, to generate test cases that are more likely to trigger resolver bugs, we combine probabilistic context-free grammar (PCFG) based input generation with byte-level mutation for both queries and responses. Third, we leverage differential testing and clustering to identify non-crash bugs like cache poisoning bugs. We evaluated ResolverFuzz against 6 mainstream DNS software under 4 resolver modes. Overall, we identify 23 vulnerabilities that can result in cache poisoning, resource consumption, and crash attacks. After responsible disclosure, 19 of them have been confirmed or fixed, and 15 CVE numbers have been assigned.

Publication
In Proceedings of the 33rd USENIX Security Symposium.
Philadelphia, PA, USA. Aug 14–16, 2024.
(Acceptance rate: ??.?%)

Overview

More details coming soon ...

CVEs (15 in total)

  • BIND: CVE-2021-25220
  • Knot Resolver: CVE-2022-30250 CVE-2022-32983 CVE-2023-26250 CVE-2023-26249
  • Unbound: CVE-2022-30698
  • PowerDNS Recursor: CVE-2022-30252 CVE-2023-26251 CVE-2023-26252 CVE-2023-24712
  • MaraDNS: CVE-2022-30256 CVE-2023-22905
  • Technitium: CVE-2021-43105 CVE-2022-30257 CVE-2022-48256
  • Qifan Zhang
    Qifan Zhang
    Ph.D. candidate

    Qifan Zhang (张起帆) is now a 4th-year Ph.D. candidate in Department of Electrical Engineering & Computer Science of University of California, Irvine with focus on Computer Security, advised by Prof. Zhou Li. His research interests include Network Security, especially Domain Name System (DNS), and Machine Learning Security and Privacy. Before that, he received his B.Eng. degree in Computer Science and Technology from ShanghaiTech University in 2020, with an interim summer session in University of California, Berkeley in 2017.

    Pronunciation of his name: Chee-Fan Jang.
    His Curriculum Vitae (last updated on Feb 18, 2024)