Abstract
In today’s DNS infrastructure, DNS forwarders are devices standing in between DNS clients and recursive resolvers. The devices often serve as ingress servers for DNS clients, and instead of resolving queries, they pass the DNS requests to other servers. Because of the advantages and several use cases, DNS forwarders are widely deployed and queried by Internet users. However, studies have shown that DNS forwarders can be more vulnerable devices in the DNS infrastructure. In this paper, we present a cache poisoning attack targeting DNS forwarders. Through this attack, attackers can inject rogue records of arbitrary victim domain names using a controlled domain, and circumvent widely-deployed cache poisoning defences. By performing tests on popular home router models and DNS software, we find several vulnerable implementations, including those of large vendors (e.g., D-Link, Linksys, dnsmasq and MS DNS). Further, through a nationwide measurement, we estimate the population of Chinese mobile clients which are using vulnerable DNS forwarders. We have been reporting the issue to the affected vendors, and so far have received positive feedback from three of them. Our work further demonstrates that DNS forwarders can be a soft spot in the DNS infrastructure, and calls for attention as well as implementation guidelines from the community.
In the 4th ICANN DNS Symposium (IDS 2021, virtually) , I presented a novel DNS cache poisoning attack (introduced by Xiaofeng Zheng from our lab) to the audiences.
Xiang Li
Ph.D. Candidate in Cyberspace Security (Tsinghua University)
Xiang Li is a 4th-year Ph.D. candidate at the Institute of Network Science and Cyberspace, Tsinghua University, advised by Professors Qi Li and Haixin Duan. He belongs to the Network and Information Security Lab (NISL). He is a visiting scholar at UC Irvine as a project specialist, working with Professor Zhou Li. He is also working as a security research intern at Qi-An-Xin Technology Company. Additionally, he is the author of the fast IPv6 network device scanner XMap, open-sourced on GitHub. His research interests include network security, protocol security, IPv6 security, DNS security, Internet measurement, and network & protocol fuzzing. As the first author, he has published many research papers at top security conferences like USENIX Security, NDSS, and DSN. As the co-author, he also published multiple papers in top conferences like USENIX Security and SIGMETRICS. He also gets his presentations accepted by top industry security conferences like Black Hat. He likes to attend talks and workshops like IDS, OARC, and VehicleSec to share his research. He has obtained over 140 CVE/CNVD vulnerability numbers for a variety of influential IPv6 and DNS vulnerabilities, which have impacted over 20 home router vendors and all DNS implementations and resolver vendors. He received acknowledgements and more than $10,600 rewards from those vendors, like Google, Microsoft, Cloudflare, and Akamai, and is working for the improvement of DNS protocols (related work has been referenced in RFC).