Domain Name System (DNS) is a critical component of the Internet. DNS resolvers, which act as the cache between DNS clients and DNS nameservers, are the central piece of the DNS infrastructure, essential to the scalability of DNS. However, finding the resolver vulnerabilities is non-trivial, and this problem is not well addressed by the existing tools. To list a few reasons, first, most of the known resolver vulnerabilities are non-crash bugs that cannot be directly detected by the existing oracles (or sanitizers). Second, there lacks rigorous specifications to be used as references to classify a test case as a resolver bug. Third, DNS resolvers are stateful, and stateful fuzzing is still challenging due to the large input space.
In this paper, we present a new fuzzing system termed ResolverFuzz to address the aforementioned challenges related to DNS resolvers, with a suite of new techniques being developed. First, ResolverFuzz performs constrained stateful fuzzing by focusing on the short query-response sequence, which has been demonstrated as the most effective way to find resolver bugs, based on our study of the published DNS CVEs. Second, to generate test cases that are more likely to trigger resolver bugs, we combine probabilistic context-free grammar (PCFG) based input generation with byte-level mutation for both queries and responses. Third, we leverage differential testing and clustering to identify non-crash bugs like cache poisoning bugs. We evaluated ResolverFuzz against 6 mainstream DNS software under 4 resolver modes. Overall, we identify 23 vulnerabilities that can result in cache poisoning, resource consumption, and crash attacks. After responsible disclosure, 19 of them have been confirmed or fixed, and 15 CVE numbers have been assigned.
In this work, we develop a new blackbox fuzzing system ResolverFuzz that is tailored to find DNS resolver vulnerabilities. Based on our study of the published DNS CVEs, ResolverFuzz is designed with a set of novel techniques, including constrained stateful fuzzing, differential testing, and grammar-based fuzzing. Our evaluation results show that ResolverFuzz is effective in finding resolver bugs, with 23 vulnerabilities discovered and 15 CVEs assigned.
Lessons learnt. Despite that DNS resolvers were extensively tested (e.g., BIND has joined Google OSS-Fuzz project to be automatically fuzzed), we can still discover many vulnerabilities in their latest versions. We believe the main reason is that bugs unique to DNS resolvers are still challenging to be discovered with the existing tools, and we hope this study can shed light on this understudied area. Besides, lacking rigorous specifications also contributes to the existence of resolver bugs, as reflected by the high number of inconsistencies observed during testing. Like prior work, we encourage the Internet community to work together and develop formal guidance about secured resolver implementations.