MaginotDNS is a powerful cache poisoning attack against DNS servers that simultaneously act as forwarder and recursive resolver (termed as CDNS). The attack is made possible by exploiting vulnerabilities in the bailiwick checking algorithms, one of the cornerstones of DNS security since the 1990s, and affects multiple versions of popular DNS software, including BIND and Microsoft DNS. Through field tests, we find that the attack is potent, allowing attackers to take over entire DNS zones, even including Top-Level Domains (e.g., .com and .net), which provides a more powerful cache poisoning opportunity than previous attacks.
Through a large-scale measurement study, we also confirm the extensive usage of CDNSes in real-world networks (up to 41.8% of our probed open DNS servers) and find that at least 35.5% of all CDNSes are vulnerable to MaginotDNS. After interviews with ISPs, we show a wide range of CDNS use cases and real-world attacks. We have reported all the discovered vulnerabilities to DNS software vendors and received acknowledgments from all of them. 3 CVE-ids have been assigned and published, and 2 vendors have fixed their software.
Our study brings attention to the implementation inconsistency of security checking logic in different DNS software and server modes (i.e., recursive resolvers and forwarders), and we call for standardization and agreements among software vendors.
Professor Zhou Li is a tenure-track assistant professor in the department of Electrical Engineering & Computer Science of University of California, Irvine. His research focus is system security and privacy.
Michael Smith is Vercara's Field Chief Technology Officer and is responsible for the organization's overall technology strategy including product management, threat intelligence, customer support, and sales and channels enablement. Smith initially started as a Russian translator in the U.S. Army, before serving in CTO roles in startups and information security officer roles leading major government security projects. With over 30 years of experience in cybersecurity, information technology, and intelligence, he has managed high-profile incidents such as the wave of DDoS attacks against major U.S. banks in 2012 and 2013 and attacks by e-commerce account takeover gangs, as well as security monitoring for the 2014 FIFA World Cup and 2014 Winter Olympic Games, and preparations for both the 2018 and 2020 Olympic Games.
