SAD DNS is a new threat similar to the original cache poisoning attack from 12 years ago.

In 2008, Domain Name System (DNS) server cache poisoning was a big threat to Internet safety. By redirecting the results from DNS searches with false Internet Protocol (IP) addresses, hackers could redirect a user’s web browser away from the safe site they intended and land them on a fake site loaded with malware.

Researcher Dan Kaminsky revealed this threat at the time, which was essentially a weakness in the domain name system. Eventually, with industry wide coordination, DNS providers worldwide patched their systems and DNS cache poisoning attacks became rare.

Now, researchers at the University of California at Riverside have found a side-channel attack that hackers can use against the most popular DNS software stacks. They call the new threat SAD DNS.

Vulnerable programs include the widely used BIND, Unbound, and dnsmasq running on top of Linux and other operating systems. The major vulnerability occurs when the DNS server’s operating system and network are allow Internet Control Message Protocol ICMP error messages. 

Here’s how it works

First, the attacker uses a vice to spoof IP addresses and a computer able to trigger a request out of a DNS forwarder or resolver. Forwarders and resolvers help work out where to send DNS requests. For example, attackers can launch a forwarder attack by logging into a LAN managed by a wireless router. The attack can even take place from such as a school or library public wireless network. Public DNS resolvers, such as Cloudflare’s 1.1.1.1 and Google 8.8.8.8, are also vulnerable.

“This is a pretty big advancement that is similar to Kaminsky’s attack for some resolvers, depending on how [they’re] actually run,” said Nick Sullivan, head of research at Cloudflare. “This is amongst the most effective DNS cache poisoning attacks we’ve seen since Kaminsky’s attack. It’s something that, if you do run a DNS resolver, you should take seriously.”