There are several attack methods aimed at the DNS, and most of them
are well understood, with mitigations already deployed. One relatively
new attack method abuses IP Fragmentation to circumvent some of the
mitigations and security features currently built into DNS software.
Previous research has shown that it is possible to use fragmented DNS response
messages to implant false or manipulated data into a DNS resolver’s cache.
DNS Fragmentation attacks require certain preconditions in order to be
successful. While it is known that cache poisoning through DNS
fragmentation is technically possible, prior to this study it was
unclear whether or not the necessary preconditions occur frequently in
the Internet. Therefore, it was equally unclear whether this attack
vector even poses a real and relevant threat. Additionally, while
mitigations had previously been discussed, their effectiveness and
their performance impacts had not been studied in detail.
The research presented in this talk tested the preconditions from two
points of view:
-
From the perspective of the authoritative DNS Server: The study
probed millions of authoritative DNS servers deployed in the
Internet to determine if these servers respond with relatively large
DNS messages that are prone to fragmentation. The domains from which
we received fragmented responses were weighted against the Tranco
list, containing the Internet’s most popular 1 million domains. This
measurement found that while naturally occurring fragmentation in
the Internet is infrequent, it is not completely irrelevant –
especially as it also affects highly popular domains.
-
From the perspective of the DNS resolver: The DNS traffic of a large
ISP in Germany was monitored for a period of 24 hours, in order to
measure how many fragmented DNS responses are seen in real Internet
traffic. It was confirmed that DNS fragmentation really occurs in
productive environments.
As fragmentation attacks mostly target DNS traffic sent over the
sessionless UDP protocol, one proposed mitigation strategy is to
switch regular DNS resolution from UDP to TCP. To evaluate the
potential of this mitigation method, the study looked into the number
of authoritative DNS servers deployed in the Internet that support DNS
over TCP. While DNS over TCP has been already mandated by the Internet
Protocol Standards for more than 10 years now, our measurements show that a
significant number of DNS servers still do not support TCP.
As a by-product of this study, the measurements mentioned above found
that a significant number of authoritative DNS servers in the Internet
run on comparatively old Linux operating systems. While these "long
term support" Linux systems are still officially maintained by their
respective vendors and therefore receive security patches, certain
default settings included in contemporary Linux kernels – some of
which would prevent successful DNS fragmentation attacks – are not
present. The analysis found that running long-term support
"enterprise" Linux systems can actually increase the risk of security
issues, even if these systems are fully patched and maintained.
Knowing that DNS fragmentation attacks are a real threat on the Internet, the
study looked into additional possible mitigation strategies. Because these
might have a negative side effect on the operation of DNS or the performance of
DNS name resolution, they were tested in detail in a laboratory environment
that mimics the structure of the real DNS, including Root-DNS, top-level
domains, and second-level domains.