MaginotDNS is a powerful cache poisoning attack against DNS servers
During the "Black Hat USA 2023" conference that was held a few days ago, a group of researchers revealed information about a vulnerability they discovered that is codenamed MaginotDNS.
Regarding the "MaginotDNS" vulnerability, it is mentioned that allows replacement of incorrect NS records in the cache of DNS servers, which are used simultaneously for request redirection and name resolution. A successful attack can result in accessing incorrect DNS servers that provide false information about the target domain, and the attacker can replace entire DNS zones, including those for top-level domains.
Through field tests, we found the attack to be powerful, allowing attackers to take over entire DNS zones, including top-level domains (eg, .com and .net ). Through a large-scale measurement study, we also confirmed extensive use of CDNS in real-world networks (up to 41,8% of our tested open DNS servers) and found that at least 35,5% of all CDNS are vulnerable to MaginotDNS.
Los investigadores mention that the possibility of spoofing NS records for another domainor it is caused by an error in the Bailiwick validation algorithm used in the DNS servers, which does not allow the acceptance of name servers that are not directly associated with the requested domain.
In a situation where the DNS server can operate in resolver and forwarder modes at the same time, the Bailiwick check is performed only in resolver mode, but is not used in forwarder mode. Since both modes use a common DNS server cache, this feature can be used to forge request records in resolver mode via cache poisoning when handling requests and responses in forwarder mode.
Our study draws attention to inconsistency in the implementation of security verification logic across different modes of DNS server and software (i.e., recursive resolvers and forwarders), and we call for standardization and agreements among software vendors.
Within the proofs of concept, the researchers proposed two variants of the attack:
- The first variant is "off-path", and can be viable when the attacker cannot intercept the traffic between the attacked DNS server and the upstream DNS server used as "forwarder-а"
- The second proposed attack is "on-path" and this can be viable when an attacker can intercept DNS requests between the attacked DNS server and the forwarder.
In on-path mode, when the attacker received information about the network port number of the outgoing DNS request during traffic analysis, the attack made a request for the domain controlled by the attacker, leading to a call to the attackers' DNS server and, at the same time, dummy responses are sent with data about NS records for the ".com" domain, which are cached.
In March 2022, researchers conducted a global network analysis that identified 154 potentially attackable publicly accessible DNS servers operating simultaneously in redirect and resolver mode. Of these, 955 DNS servers (54949%) used vulnerable software.
All vulnerable DNS servers were subjected to an "on-path" attack, which was carried out when the traffic between the DNS server and the forwarder could be intercepted. The off-path attack variant, in which the attacker did not control the traffic, affected 88,3% of the vulnerable servers.
In addition, it is reported that the attack has been confirmed for DNS servers such as BIND, Knot, Technitium and Microsoft DNS, while Unbound, MaraDNS and PowerDNS servers are not affected by the attack. In BIND (CVE-2021-25220) and Knot (CVE-2022-32983), the attack vulnerabilities were fixed in early 2022.
Finally If you are interested in knowing more about itOr, you can check the details in the following link