SAD DNS

Introduction

SAD DNS is a revival of the classic DNS cache poisoning attack (which no longer works since 2008) leveraging novel network side channels that exist in all modern operating systems, including Linux, Windows, macOS, and FreeBSD. This represents an important milestone --- the first weaponizable network side channel attack that has serious security impacts. The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache (e.g., in BIND, Unbound, dnsmasq).

DNS is a universal protocol on the Internet, which translates the human-readable domain names into computer-readable IP addresses. Almost every networking application relies on it. More specifically, SAD DNS attack allows an attacker to redirect any traffic (originally destined to a specific domain) to his own server and then become a man-in-the-middle (MITM) attacker, allowing eavesdropping and tampering of the communication.

Please be patient while the page is loading, which means your DNS server is being checked.
(We will NOT attack your DNS server by any means.)

Publications

DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels*(Disthinguished Paper Award) [PDF] [Slides] [Video]
Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan
In Proceedings of ACM Conference on Computer and Communications Security (CCS`20), November 9-13, 2020, Virtual Event, USA.

Q&A

Likely, as long as you are using a vulnerable DNS service (e.g., 8.8.8.8 or 1.1.1.1). Most public resolvers have been checked to be vulnerable. If you are using private DNS services (i.e., those provided by your ISP or your organization), we do not have sufficient data but there is a good chance that it is vulnerable as well. Refer to this question for more details.

Any networking application using DNS to retrieve the IP address of peers/servers are affected. Besides, vulnerable/affected DNS softawre include but not limited to BIND, Unbound and dnsmasq.

According to our measurement, 35% of open resolvers are vulnerable to the attack. We also found 12/14 public resolvers and 4/6 routers made by well-known brands are vulnerable. In theory, any DNS server running the newer version of popular operating systems without blocking outgoing ICMPs (only Windows blocks it by default) is also vulnerable. Refer to this question for the versions of the vulnerable operating system.

No, the attack happens transparently to the end-user. Only your ISP or DNS providers can potentially detect it (e.g., through IDS). Refer to this question.

Unlike a bug that affects a certain piece of software, SAD DNS leverages fundamental flaws (e.g., network side channels) in the networking stack of operating systems. Furthermore, this represents the first weaponizable network side channel attack against high profile network applications.

Mostly implementation. Specifically, the global rate limit of outgoing ICMP messages described in RFC1812 4.3.2.8 that introduces the side channel.

We do not know yet but we have responsibly disclosed the vulnerability months before publishing the paper. It is likely many servers are patched already.

Yes, we have worked with the Linux kernel security team and developed a patch that randomizes the ICMP global rate limit to introduce noises to the side channel. Please refer to Security Advisories for more recent updates.

  • Linux 3.18-5.10
  • Windows Server 2019 (version 1809) and newer (we did not test older versions)
  • macOS 10.15 and newer (we did not test older versions)
  • FreeBSD 12.1.0 and newer (we did not test older versions)
The patch for Linux is integrated into 5.10 and backported to many stable versions. However, we don't know how and when Windows/macOS/FreeBSD will patch this vulnerability.

SAD DNS = Side channel AttackeD DNS.

Possibly. The following may be effective:
  • Detect the timing pattern of the traffic: the attack sends a burst of packets every 50ms.
  • Detect UDP port scanning.
  • Detect wrong TxIDs for incoming DNS responses: the attack needs to brute force TxID but normal DNS responses are unlikely to present the wrong TxID value.

No, ironically NAT would even make patched DNS servers vulnerable again because the NAT gateway itself is subject to port scanning. Please consider patch the NAT gateway as well.

No, this is a totally off-path attack. The attacker is not required to sniff the traffic between the DNS servers, but a key requirement is that the attacker has the IP spoofing capability to impersonate the legitimate server. IP Spoofing is still feasible today.

There are three kinds of actions that could be taken to mitigate the attack:
  • Destroy the side channel
    • Disable outgoing ICMP
    • Randomize ICMP global rate limit (used by Linux )
  • Add more secrets to DNS messages
    • DNSSEC
    • 0x20 encoding
    • DNS cookie
  • Reduce the attack window
    • Reduce the timeout for outstanding queries

Yes and no, the server must implement strict DNSSEC check (i.e., refuse the responses that break the trust chain) to prevent the off-path attacks. However, since DNSSEC is still under development and servers need to accept such responses (i.e., only DNSSEC aware but not DNSSEC validate) when visiting a misconfigured domain.

No, currently DoH only encrypts the traffic between the DNS client and DNS resolvers. However, SAD DNS attacks the link between resolvers and authoritative name servers, which is not protected by DoH.

Yes, according to CAIDA , 30.5% ASes don’t block packets with spoofed source IP addresses in 2019. In practice, an attacker needs to find only one node that can spoof IPs to carry out such an attack. In fact, such kind of bullet-proof-hosting service can be easily found with low prices($50) by simply Googling.

Proof of Concept

Code release
View SADDNS on GitHub

PoC Video

External Links

Link
Linux kernel
Patch
CVE-2020-25705
mitre cvedetails
Cloudflare
Security Blog
UC Riverside
News
Ars Technica
News
ZDNet
News
The Hacker New
News
The Daily Swig
News
Techzine
News
RedHat
CVE Bug
Debian
CVE
Canonical
CVE
SUSE
CVE Blog
ISC
Resources