MaginotDNS Attack Enables DNS Cache Data Replacement

Group of Chinese researchers revealed ood attacks maginotdns, which allows us to implement the substitution of incorrect NS-records in the cache of the DNS servers (cache poisoning) used simultaneously to redirect the (Forwarder) and recursive determination of names (Resolver). Successful attack can lead to an appeal to incorrect DNS servers who give false information about the target domain, and replacing the entire DNS zone, including the upper level (.com, .net, .ru, etc.) .

The ability to replace the NS-record for another domain is caused by an error in the implementation of the Bailiwick check algorithm, which does not allow the reception of names that are not directly related to the requested domain. In a situation where the DNS server can simultaneously work in Resolver and Forwarder, Bailiwick is performed only in Resolver, but is not used in Forwarder mode. Since both modes uses a common DNS server cache, this feature can be manipulated to substitute records for queries in Resolver mode through manipulations with requests in Forwarder mode.

Two options for conducting an attack: “OFF-PATH”-when an attacking man cannot intercept traffic between an attacked DNS server and a higher DNS server used as a Forwarder; “On-Path”-when the attacker can intercept the DNS queries between the attacking DNS server and his Forwarder. In the “On-Path” mode, when the attacker has information about the number of the network port of the outgoing DNS request, during the attack, a request was carried out by the domain controlled by the attacking domain, which led to the attackers’ DNS server, and at the same time, fictitious data set off About the NS-records for the domain “com “, which, if the 16-bit identifier of the transaction, settled in the cache and for other domains. When demonstrating an attack on the BIND DNS server in the Off-Path mode, the SAD DNS attack technique was additionally used to

/Reports, release notes, official announcements.