![Page 1: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/1.jpg)
Internet Corporation forAssigned Names & Numbers
2008 DNS Cache Poisoning VulnerabilityCairo, EgyptNovember 2008
Kim DaviesManager, Root Zone Services
![Page 2: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/2.jpg)
How does the DNS work?
![Page 3: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/3.jpg)
A typical DNS queryThe DNS protocol revolves around sending questions, and sending back answers to those questions.
icann.org?
![Page 4: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/4.jpg)
A typical DNS queryThe DNS protocol revolves around sending questions, and sending back answers to those questions.
192.0.2.0
icann.org?
![Page 5: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/5.jpg)
How do you attack the DNS?
![Page 6: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/6.jpg)
The DNS is not secure
‣ A computer sends a “question” to a DNS server, such as “What is the IP address for icann.org?”
‣ The computer gets an answer back, and if the answer appears to match the question it asked, trusts that it is correct.
‣ There are multiple ways that traffic on the Internet can be intercepted or impersonated, so that the answer trusted is false.
![Page 7: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/7.jpg)
Winning the raceExploits rely on the server providing the false answer responding quicker than the correct server can give the right answer.
icann.org?
![Page 8: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/8.jpg)
Winning the raceExploits rely on the server providing the false answer responding quicker than the correct server can give the right answer.
6.6.6.0
icann.org?
![Page 9: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/9.jpg)
Winning the raceExploits rely on the server providing the false answer responding quicker than the correct server can give the right answer.
6.6.6.0
192.0.2.0
icann.org?
![Page 10: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/10.jpg)
Cache poisoning
‣ The previous example scenario is a successful attack against just one computer.
‣ To improve efficiency, intermediate DNS servers typically store results in a cache to speed further lookups.‣ This is the typical configuration at ISPs, etc.
‣ If an attacker can trick a server to remember a wrong answer, the server will then use it to respond to future lookups.‣ One successful attack can therefore affect many users by
“poisoning” the cache.
![Page 11: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/11.jpg)
What should match in a DNS transaction1 Source address and port 2 Destination address and port 3 Reference (Transaction) number 4 Question being asked
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
![Page 12: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/12.jpg)
What should match in a DNS transaction1 Source address and port 2 Destination address and port 3 Reference (Transaction) number 4 Question being asked
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
![Page 13: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/13.jpg)
What should match in a DNS transaction1 Source address and port 2 Destination address and port 3 Reference (Transaction) number 4 Question being asked
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
![Page 14: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/14.jpg)
What should match in a DNS transaction1 Source address and port 2 Destination address and port 3 Reference (Transaction) number 4 Question being asked
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
![Page 15: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/15.jpg)
What should match in a DNS transaction1 Source address and port 2 Destination address and port 3 Reference (Transaction) number 4 Question being asked
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
![Page 16: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/16.jpg)
Approximate possible combinationsThe key variability is in the reference number. Other values are mostly deterministic.* Number of authoritative name servers for the domain (average is 2.5)
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
![Page 17: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/17.jpg)
Approximate possible combinationsThe key variability is in the reference number. Other values are mostly deterministic.* Number of authoritative name servers for the domain (average is 2.5)
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
1 in 3*
![Page 18: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/18.jpg)
Approximate possible combinationsThe key variability is in the reference number. Other values are mostly deterministic.* Number of authoritative name servers for the domain (average is 2.5)
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
1 in 3*
1 in 1
![Page 19: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/19.jpg)
Approximate possible combinationsThe key variability is in the reference number. Other values are mostly deterministic.* Number of authoritative name servers for the domain (average is 2.5)
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
1 in 3*
1 in 1
1 in 65,000
![Page 20: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/20.jpg)
Approximate possible combinationsThe key variability is in the reference number. Other values are mostly deterministic.* Number of authoritative name servers for the domain (average is 2.5)
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
1 in 3*
1 in 1
1 in 65,000
1 in 1
![Page 21: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/21.jpg)
Approximate possible combinationsThe key variability is in the reference number. Other values are mostly deterministic.* Number of authoritative name servers for the domain (average is 2.5)
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
1 in 3*
1 in 1
1 in 65,000
1 in 1
1 in 1
![Page 22: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/22.jpg)
Approximate possible combinationsThe key variability is in the reference number. Other values are mostly deterministic.* Number of authoritative name servers for the domain (average is 2.5)
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
1 in 3*
1 in 1
1 in 65,000
1 in 1
1 in 1
1 in 1
![Page 23: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/23.jpg)
What has been discovered recently?
![Page 24: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/24.jpg)
This attack is highly effective
‣ Dan Kaminsky identified there is a straightforward way to flood an attack target with lots of answers, so that the right combination would be found very quickly (a few seconds)
‣ By querying for random hosts within a domain (0001.targetdomain.com, 0002.targetdomain.com, etc.), you can take over the target domain by filling the cache with bad referral information.
![Page 25: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/25.jpg)
How effective?Courtesy John Dickinson (jadickinson.co.uk)
![Page 26: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/26.jpg)
How effective?Courtesy John Dickinson (jadickinson.co.uk)
1.3secs
![Page 27: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/27.jpg)
An impact on authoritative name servers
‣ This attack affects caching or recursive name servers that speed up DNS lookups at ISPs and corporate networks.
‣ Domain name zones are hosted on a different type of name server called an authoritative name server.
‣ If a name server provides both caching and authoritative name service, a successful attack on the recursive portion can store bad data that is given to computers that want authoritative answers.
‣ The net result is one could insert or modify domain data inside a domain on its authorities.
![Page 28: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/28.jpg)
Short term solutions
![Page 29: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/29.jpg)
1. Maximise the amount of randomness
‣ Most implementations use randomised transaction numbers already. (The risk with that was discovered years ago, and fixed in most software)
‣ The port number 53 is assigned by IANA for DNS.
‣ However it is only required to be 53 as the destination port, not the source port.
‣ The patches that have been released in the last few months work by randomising the source port for the recursive server.
![Page 30: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/30.jpg)
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
1 in 1
Possible combinationsVarying the source port increases the number of combinations
1 in 3*
1 in 1
1 in 65,000
1 in 1
1 in 1
![Page 31: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/31.jpg)
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
1 in 1
Possible combinationsVarying the source port increases the number of combinations
1 in 3*
1 in 1
1 in 65,000
1 in 1
1 in 1
![Page 32: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/32.jpg)
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
1 in 11 in 64,000
Possible combinationsVarying the source port increases the number of combinations
1 in 3*
1 in 1
1 in 65,000
1 in 1
1 in 1
![Page 33: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/33.jpg)
2. Disable open recursive name servers
‣ The attack is not effective if the attacker can not send question packets to the name server.
‣ If you must run a recursive name server, limit access to only those computers that need it. (e.g. your customers). They will still be able to execute the attack, but the exposure is reduced.
‣ Turning off open recursive name servers is a good idea anyway, because they can be used for other types of attack (denial of service)
![Page 34: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/34.jpg)
3. Use upper/lower case to add randomness
‣ The answer should preserve the same capitalisation as the question. By mixing upper and lower case, it provides more combinations that an attacker has to guess.
‣ This is a way of adding extra entropy to the DNS without modifying the protocol.
‣ Still under discussion (not implemented)
![Page 35: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/35.jpg)
![Page 36: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/36.jpg)
iCAnn.orG?
![Page 37: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/37.jpg)
iCAnn.orG?
icann.org
![Page 38: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/38.jpg)
iCAnn.orG?
icann.org
![Page 39: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/39.jpg)
iCAnn.orG?
icann.org
iCAnn.orG
![Page 40: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/40.jpg)
iCAnn.orG?
icann.org
iCAnn.orG
![Page 41: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/41.jpg)
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
1 in 1
1 in 1
1 in 11 in 64,000
Possible combinations (3)Varying the case increases the number of combinations to 2L where L is the number of letters in the domain. (e.g. ICANN.ORG = 8 letters = 28 = 256)
1 in 3*
1 in 65,000
1 in 1
![Page 42: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/42.jpg)
icann.org?
From: 1.2.3.4, port 53To: 2.4.6.8, port 53My ref: 12345
Question:
icann.org?
From: 2.4.6.8, port 53To: 1.2.3.4, port 53Your ref: 12345
Question:
192.0.2.0Answer:1.2.3.4 2.4.6.8
1 in 1
1 in 1
1 in 11 in 64,000
1 in 256*
Possible combinations (3)Varying the case increases the number of combinations to 2L where L is the number of letters in the domain. (e.g. ICANN.ORG = 8 letters = 28 = 256)
1 in 3*
1 in 65,000
1 in 1
![Page 43: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/43.jpg)
Net effect of short term solutions
‣ Old (unpatched) entropy ≈ 216 to 218 possibilitiesNew (patched) entropy ≈ 232 to 2(34+length) possibilities
‣ More entropy makes these types of attacks harder, but does not prevent them
‣ Computer processing power and network speeds will only increase in the future, improving the viability of these attacks
![Page 44: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/44.jpg)
Long term solution
![Page 45: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/45.jpg)
Introduce security to the DNS
‣ The DNS is insecure. Upgrade the DNS for security.
‣ DNSSEC is the current answer to this problem.
‣ This attack provides clear incentive to deploy a solution like DNSSEC, because without security the DNS will continue to be vulnerable to cache poisoning attacks.
![Page 46: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/46.jpg)
Impact on TLDs
‣ At the time the vulnerability became known, a survey of TLD operators found that 72 TLDs had authorities that were providing open recursive service.
‣ ICANN contacted all TLDs affected
‣ Explained the situation, and the urgency to fix it
‣ Provided advice on how to reconfigure name servers
‣ Expedited root zone change requests, if required
![Page 47: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/47.jpg)
Checking tool
‣ We developed a tool which we ran daily against TLDs, and shared results with affected TLDs.
‣ It became clear a web-based tool where TLD operators could self-test would be useful, so it was re-implemented this way.
‣ The tool is not TLD specific, and works with any domain name.
![Page 48: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/48.jpg)
Vulnerability checking toolhttp://recursive.iana.org/
![Page 49: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/49.jpg)
How the tool worksThe tool checks for the two aspects that enable the attack
![Page 50: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/50.jpg)
How the tool worksThe tool checks for the two aspects that enable the attack
Caching?
![Page 51: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/51.jpg)
How the tool worksThe tool checks for the two aspects that enable the attack
Safe
NO
Caching?
![Page 52: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/52.jpg)
How the tool worksThe tool checks for the two aspects that enable the attack
Safe
NO
Random?YESCaching?
![Page 53: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/53.jpg)
How the tool worksThe tool checks for the two aspects that enable the attack
Safe Vulnerable
NO YES
Random?YESCaching?
![Page 54: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/54.jpg)
How the tool worksThe tool checks for the two aspects that enable the attack
Safe Vulnerable
HighlyVulnerable
NO YES
NORandom?YESCaching?
![Page 55: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/55.jpg)
over 100,000 domains tested
![Page 56: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/56.jpg)
Work continues
‣ We are still working with the last remaining TLDs that are affected. Our goal is to reduce the number to zero.
‣ It is anticipated a ban on open recursive name servers will be instituted as a formal IANA requirement on future root zone changes.
‣ Work on DNSSEC, and signing the root, to facilitate a longer term solution
![Page 57: 2008 DNS Cache Poisoning Vulnerability · 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services. How does the DNS work? A typical](https://reader036.vdocuments.site/reader036/viewer/2022081402/5f0987c87e708231d4274455/html5/thumbnails/57.jpg)