DNS Cache Poisoning Attack: Resurrections with Side Channels

Presents novel side channels during the process of handling ICMP errors, a previously overlooked attack surface. Side channels can be exploited to perform high-speed off-path UDP ephemeral port scans, allowing an attacker to effectively poison the cache of a DNS server in minutes. Also includes mitigations against this.


“DNS is one of the fundamental and ancient protocols on the Internet that supports many network applications and services. Unfortunately, DNS was designed without security in mind and is subject to a variety of serious attacks, one of which is the well-known DNS cache poisoning attack. Over the decades of evolution, it has proven extraordinarily challenging to retrofit strong security features into it. To date, only weaker versions of defenses based on the principle of randomization have been widely deployed, e.g., the randomization of UDP ephemeral port number, making it hard for an off-path attacker to guess the secret. However, as it has been shown recently, such randomness is subject to clever network side channel attacks, which can effectively derandomize the ephemeral port number.

In this paper, we conduct an analysis of the previously overlooked attack surface, and are able to uncover even stronger side channels that have existed for over a decade in Linux kernels. The side channels affect not only Linux but also a wide range of DNS software running on top of it, including BIND, Unbound and dnsmasq. We also find about 38% of open resolvers (by frontend IPs) and 14% (by backend IPs) are vulnerable including the popular DNS services such as OpenDNS and Quad9. We have extensively validated the attack experimentally under realistic configuration and network conditions and showed that it works reliably and fast.”

Find the technical paper link here.

Published 11/2021

Keyu Man, Xin’an Zhou, and Zhiyun Qian. 2021. DNS Cache Poisoning
Attack: Resurrections with Side Channels. In Proceedings of the 2021 ACM
SIGSAC Conference on Computer and Communications Security (CCS ’21),
November 15–19, 2021, Virtual Event, Republic of Korea. ACM, New York, NY,
USA, 15 pages. https://doi.org/10.1145/3460120.3486219

Leave a Reply

(Note: This name will be displayed publicly)