摘要
In today’s DNS infrastructure, DNS forwarders are devices standing in between DNS clients and recursive resolvers. The devices often serve as ingress servers for DNS clients, and instead of resolving queries, they pass the DNS requests to other servers. Because of the advantages and several use cases, DNS forwarders are widely deployed and queried by Internet users. However, studies have shown that DNS forwarders can be more vulnerable devices in the DNS infrastructure. In this paper, we present a cache poisoning attack targeting DNS forwarders. Through this attack, attackers can inject rogue records of arbitrary victim domain names using a controlled domain, and circumvent widely-deployed cache poisoning defences. By performing tests on popular home router models and DNS software, we find several vulnerable implementations, including those of large vendors (e.g., D-Link, Linksys, dnsmasq and MS DNS). Further, through a nationwide measurement, we estimate the population of Chinese mobile clients which are using vulnerable DNS forwarders. We have been reporting the issue to the affected vendors, and so far have received positive feedback from three of them. Our work further demonstrates that DNS forwarders can be a soft spot in the DNS infrastructure, and calls for attention as well as implementation guidelines from the community.
在2021年第四届ICANN的DNS线上研讨会中,我介绍了实验室晓峰师兄所提出了的一种新型DNS缓存污染攻击。
李想
清华大学博士研究生(网络空间安全)
李想,清华大学网络科学与网络空间研究院四年级博士研究生,导师为李琦副教授和段海新教授。他是网络与系信息安全实验室(NISL)的成员之一,也是奇安信公司的安全研究实习生。目前他作为访问学者在加州大学尔湾分校李洲助理教授研究组进行学术交流。此外,他也是一款开源网络扫描器XMap的开发者与维护者。研究领域涉及网络安全,协议安全,IPv6安全,DNS安全以及互联网测量。作为第一作者,他目前在网络安全顶级会议发表论文3篇,涵盖USENIX Security、NDSS、DSN。在漏洞挖掘领域,他目前已发现多个IPv6和DNS方向的新型重大漏洞并获得130+安全漏洞编号(CVE/CNVD),其中所发现的IPv6漏洞影响了数十家路由器厂商。他也发现了DNS协议设计和实现层面的漏洞,影响了所有DNS的软件和实现。目前他已经获得了多家知名互联网厂商的致谢和奖励,包括谷歌、微软、Cloudflare、Akamai等等,并在积极推进DNS协议标准的改进。