December 5, 2020

Researchers have discovered new weaknesses in the DNS system for poisoning

2 min read

DNS is the domain name resolution system. Our Internet life at the bottom completely relies on key infrastructure such as DNS. Of course, although the DNS system is very important, loopholes will inevitably be discovered. In 2008, the cache system used by DNS had weaknesses that could be used for poisoning, that is, the range of IP addresses controlled by an attacker when a user queries a domain name.

Attackers can use this method to hijack specific domain names, such as directing users to phishing websites and stealing user accounts and passwords. Later, the maintainers repaired the DNS system and adopted a random port number, instead of the 53 port number used by the DNS in our conventional knowledge. Random port numbers help to mitigate such attacks, making it difficult for attackers to guess the port number and obtain the original transaction ID provided by DNS.

However, researchers from Tsinghua University, the University of California, and the security company Qi-AnXin Group found that the port used by DNS can be inferred through side-channel attacks. When the correct port is obtained, the previous cache can be used to poison, so that the hijacked website attack can be returned.

The researchers said that the kernels of Windows, Linux, or macOS systems currently have weaknesses. Take Linux as an example: In order to save bandwidth, Linux built-in rate limiter sets the incoming requests to 1000 per second and also uses counters to track these requests. If none of these 1000 ports are correctly used by DNS, invalid access will be returned.

The interesting thing is that the counter for each request received on a valid open port will not be decremented, and the server will not return an error. This means that hackers can guess the correct port by sending 1000 packets per second to drop data to a random port.

It is relatively simple to find the correct port from the 1000 ports. With the correct port, the previous vulnerability can be used to poison. The security industry recommends that Linux randomize the maximum value of the DNS rate request limiter (or 65536 in theory) so that it is difficult for an attacker to quickly guess the correct port.

Linux has incorporated the automatic randomization rate-limiting improvement into the kernel on October 16, 2020. Of course, it will certainly take a long time for all Linux devices to be replaced with the new kernel. Windows and macOS have not yet repaired this problem. I don’t know when Microsoft and Apple are going to fix it.