The Maginot Line: Attacking the Boundary of DNS Caching Protection

Xiang Li, Chaoyi Lu, Baojun Liu, Qifan Zhang, Zhou Li, Haixin Duan, Qi Li
August, 2023 DNS
PDF Cite Code Project Slides Source Document

Abstract

In this paper, we report MaginotDNS, a powerful cache poisoning attack against DNS servers that simultaneously act as recursive resolvers and forwarders (termed as CDNS). The attack is made possible through exploiting vulnerabilities in the bailiwick checking algorithms, one of the cornerstones of DNS security since the 1990s, and affects multiple versions of popular DNS software, including BIND and Microsoft DNS. Through field tests, we find that the attack is potent, allowing attackers to take over entire DNS zones, even including Top-Level Domains (e.g., .com and .net). Through a large-scale measurement study, we also confirm the extensive usage of CDNSes in real-world networks (up to 41.8% of our probed open DNS servers) and find that at least 35.5% of all CDNSes are vulnerable to MaginotDNS. After interviews with ISPs, we show a wide range of CDNS use cases and real-world attacks. We have reported all the discovered vulnerabilities to DNS software vendors and received acknowledgments from all of them. 3 CVE-ids have been published, and 2 vendors have fixed their software. Our study brings attention to the implementation inconsistency of security checking logic in different DNS software and server modes (i.e., recursive resolvers and forwarders), and we call for standardization and agreements among software vendors.

Type
Conference paper
Publication
In Proceedings of the 32nd USENIX Security Symposium. Anaheim, California, August 9–11, 2023. (Acceptance rate: 422/1,444=29.2%, Acceptance rate in summer: 91/388=23.5%, Acceptance rate in fall: 155/531=29.2%, Acceptance rate in winter: 176/525=33.5%).
* Presented in Black Hat USA 2023.
* 60+ news coverage by media such as BleepingComputer and APNIC.
* An Austria government CERT daily report.
* A Sweden government CERT weekly news.
* A Bournemouth University (BU) CERT news.
* Presented in SHUZIHUANYU Talk.
* Presented in KANXUE 2023 SDC.
* Presented in Black Hat Webinar

Overview

In this paper, we report MaginotDNS, a powerful cache poisoning attack against DNS servers that simultaneously act as recursive resolvers and forwarders (termed as CDNS).

MaginotDNS: https://maginotdns.net/

CVE (3)

Presentation

News & CERT

News & CERT List

  • AlienVault: News

  • All InfoSec News: News

  • Altus Intel: News

  • Anti-Malware.ru: News

  • APNIC: News

  • BelEn News and Lifestyle: News

  • BleepingComputer: News

  • Blog elhacker.NET: News

  • Bournemouth University (BU) CERT on 15/08/2023: News

  • BreachForums: News

  • Broadband Reports: News

  • CICESE: News

  • CaveiraTech: News

  • Cyber Reports: News

  • CyberIQs: News

  • Cyware Labs: News

  • Desde Linux: News

  • DevBytes: News

  • Facebook: News

  • Fagen Wasanni Technologies: News

  • First Hackers News: News

  • FreeFlarum: News

  • GovCERT Austria on 14/08/2023: News

  • Hispasec UnaAlDia: News

  • How 2 Do: News

  • ITSec.Ru: News

  • IlSoftware.it: News

  • Informazione.it: News

  • Infosec Exchange: News

  • Italy 24 Press News: News

  • Jetico: News

  • MalwareTips: News

  • Menéame: News

  • News YCombinator: News

  • Notizie today: News

  • OpenNet: News

  • OpenSecurity: News

  • PRSOL:CC: News

  • Red Hot Cyber: News

  • Reddit: News

  • Risky Biz: News

  • SNAS Internet Storm Center: News

  • SecNews.gr: News-zh-cn

  • SecNews.gr: News

  • Secure Hunter: News

  • Security Lab: News

  • SecurityWeek: News

  • Sweden CERT on 18/08/2023: News

  • TS2 Space: News

  • TechWar.GR: News

  • UPV/EHU: News

  • Una al Día: News

  • Vumetric Cyber Portal: News

  • carder.uk: News

  • e-security.bg: News

  • lasgasolineras.es: News

  • notizie.today: News

  • techxpub.de: News

  • 360CERT安全日报(2023.08.14): News

  • 合天网安实验室-网络安全日报(2023年08月15日): News

  • 快米云: News

  • 資安日報: News

DNS DNS Security DNS Cache Poisoning DNS Bailiwick Rule
Xiang Li
Xiang Li
Associate Professor (Nankai University)

Xiang Li is an Associate Professor at the Cryptology and Cyber Science, Nankai University. He is the advisor of Nankai University’s CTF teams, an ACM member, CCF member, and CIC member. He serves as PC for venues like IMC, RAID, ACSAC and others like AsiaCCS. His research interests include network security, protocol security, IPv6 security, DNS security, Internet measurement, network & protocol fuzzing, network vulnerability discovery & attack, web security, and underground economy with 22 research papers. As the first author, he has published many research papers at all top-tier security conferences, including Oakland S&P, USENIX Security, CCS, NDSS, and Black Hat (Asia, USA, and Europe). He applied for 12 patents (2 authorized and 5 in checking as the first author). He has obtained over 200 CVE/CNVD/CNNVD vulnerability numbers, more than $11,600 rewards, 430+ GitHub stars, multiple CERT reports, 100+ news coverage, and RFC acknowledgement. He got multiple prizes, such as 2024 ACM SIGSAC China Excellent Doctoral Dissertation Award, 2024 Pwnie Award Nominations (Hacker Oscar), 1st prize of IPv6 Technology Application Innovation Competition, 2nd prize of GeekCon 2023 DAF Contest, National Scholarship, Wang Dazhong Scholarship, Tsinghua Outstanding Scholarship, Outstanding Graduate, and Extraordinary Hacker of GeekCon International 2024.