A research team at the University of California Riverside discloses a large-scale DNS spoofing threat. The researchers managed to flood Linux resolvers with forged IP addresses to pose as a trustworthy Domain Name Server (DNS) and redirect end users to dangerous websites. According to the team, the attack can be performed on 38 percent of millions of open DNS resolvers.

Misuse of Domain Name Servers (DNS spoofing) is as old as the Internet. Domain Name Servers are responsible for translating URLs into IP addresses. When inputting a website URL in a browser, a so-called DNS Resolver forwards the term to a DNS. The DNS knows which IP address equals the URL and sends the information back to the DNS Resolver. You end up at the desired location without having to know or enter the IP address of a website yourself.

The DNS Resolver is usually offered by an Internet service provider. Sometimes an organization sets up the server itself. In either case, the resolver remembers the IP address passed on by a Domain Name Server. In this way, the server can answer subsequent queries more quickly – and thus redirect users to the right website more quickly. In other words: caching.

As long as the IP address is correct, said caching is effective. From the moment the DNS passes on an incorrect IP address for the requested URL, a problem arises. The resolver remembers the wrong address and will redirect end users to the wrong website in the future. Although reputable DNSs are always correct, malicious people can impersonate a reputable DNS to plant false information in a resolver’s memory.

Old and new cache poisoning attacks

In 2008, a practical method for the latter came to light. Resolvers at the time used a transaction ID to confirm whether a requested IP address was delivered by a trusted DNS. If no one had access to this transaction ID, no one could pretend to be a trustworthy DNS. At least, that was the idea. The transaction ID had 65,536 possible combinations. Security specialist Dan Kaminsky managed to send 65,536 packets with the wrong IP address to a resolver before the actual, trusted DNS came up with the correct answer. As such, the resolver redirected an URL to a website of Kaminsky’s choosing. And, thanks to its memory, it continued to do so. As it turned out, it was possible to redirect a URL like ‘google.com’ to phishing websites. Kaminsky christened the cache poisoning attack.

Not long after, the problem was tackled industry-wide. Before 2008, traffic between a resolver and Domain Name Server always went over a single port: number 53. Currently, the resolver and DNS choose a random port per request. The number of possible combinations is too large to effectively flood the resolver with guesses.

However, as it turns out, managing to find out the port number first and proceeding to barrage the resolver with a flood of transaction ID’s, still allows for the manipulation of resolver memory. A research team at the University of California Riverside pulled it off. The researchers performed a successful cache poisoning attack by abusing a Linux kernel feature. According to the team, the achievement shows that 38 percent of all millions of global open resolvers are at risk of DNS spoofing. That includes OpenDNS, a very popular Cisco resolver service. Cisco received the research report and acknowledged the problem. The organization closed the hole and states that OpenDNS is now safe to use.

Tip: DNS data is a gold mine, but integration is necessary