A team of researchers from UC Irvine and of Tsinghua University has developed a powerful new type attack DNS cache poisoning called MaginotDNS. This targets i Resolver Conditional DNS (CDNS) and can compromise integers TLD top-level domains.
The attack was made possible by flaws in the implementation of security controls in various DNS software and servers, leaving about a third of all CDNS servers vulnerable. The researchers unveiled the details of the attack and related documentation earlier this week at the Black Hat 2023 of Los Angeles, reporting that the identified problems have now been resolved at the software level.
When it comes to DNS (Domain Name System) refers to a naming system that allows domain names to be resolved, making them human-readable compared to the more complex numerical IP addresses. The resolution process DNS uses UDP, TCP e DNSSEC to run queries and get answers.
MaginotDNS and DNS cache poisoning: a danger that comes from afar
The concept of DNS cache poisoning places spoofed responses in the DNS cache resolver DNScausing the server to direct users who log into a domain are actually directed to malicious websites without their knowledge.
Many attacks of this type have been detected and analyzed in the past, even quite “remotely” in the context of the Internet. A clear example of this is the attack Kashpureff in 1997, which exploited a lack of data verification or the attack Kaminsky in 2008 that exploited the absence of a source port randomization system.
CDNS resolvers support both recursive and forward query modes, which are used by ISP and by the company to reduce costs and improve access control. However, the researchers found that the data transmission is somewhat vulnerable.
Researchers have identified inconsistencies in some major DNS software, including BIND9 (CVE-2021-25220), Knot Resolver (CVE-2022-32983), Microsoft DNS e Technitium (CVE-2021-43105).
In some cases, they’ve noticed setups that treat all records as if they’re under the root domain. In this sense, during the Black Hat, several possible attacks that could be implemented through MaginotDNS were demonstrated.