DNS cache poisoning are the attacks in which an attacker manipulates the information entered into a DNS cache to redirect users to the wrong websites. It is an old yet potentially effective attack vector that several cyber adversaries use.
What was discovered?
Recently, researchers have identified a new technique to conduct DNS cache poisoning attacks targeting popular DNS software stacks dubbed SAD DNS.
- The technique revolves around how the Linux kernel handles the Internet Control Message Protocol (ICMP) requests.
- Some of the vulnerable programs include BIND, Unbound, and dnsmasq used on Linux and other operating systems.
Pulling off the attack
- For this attack, the researcher’s group inserted a malicious IP address and pulled off a DNS cache poisoning attack using the source port derandomized.
- The attacker can spoof IP addresses with a computer to trigger a request out of a DNS forwarder or resolver (these decide where to send DNS requests).
- For example, using the forwarder attack, the attacker can log into a LAN managed by a wireless router at the library public wireless network.
How bad this could be?
- This method can be used to target public DNS servers, including Cloudflare's 18.104.22.168 and Google 22.214.171.124.
- Around 34% of the open resolvers population and 85% of free public DNS on the internet are vulnerable, says the study.
Domain name system is an important part of the internet, and such attacks could be devastating. For mitigation, researchers suggest disallowing outgoing ICMP replies altogether. In addition, users can set the timeout of DNS queries more aggressively, in which the source port will be short-lived.