The latest research work published by a group at the University of California, Riverside, demonstrates the existence of formerly unnoticed side channels in Linux kernels that can be used to attack DNS servers.
As per the researchers, the problem with DNS stems from its design, which never prioritized security and made it incredibly difficult to retrofit robust security features into it.
Although DNS security capabilities such as DNSSEC and DNS cookies are available, they are not generally used owing to backward compatibility, according to the researchers. However, the only way to make DNS more secured has always been to randomize UDP ports, known as ephemeral ports, intending to make it more difficult for an intruder to find them.
As a consequence, various DNS attacks have been reported in the past, including the recently revealed SAD DNS, a variation of DNS cache poisoning which allows an attacker to insert harmful DNS records into a DNS cache, routing all traffic to their server and then becoming a man-in-the-middle (MITM). Subsequently, a few of the researchers that first reported SAD DNS discovered side-channel vulnerabilities in the Linux kernel that had gone unnoticed for over a decade.
The study focuses on two forms of ICMP error messages: ICMP fragment required (or ICMP packet too large in IPv6) and ICMP redirect. The Linux kernel analyzes the messages, as demonstrated by the researchers, utilizing shared resources that constitute side channels.
Essentially, this means that an attacker might send ICMP probes to a certain port. If somehow the targeted port is correct, there will be some modification in the shared resource state which can be detected indirectly, validating the correctness of the estimate. An attack, for example, may reduce a server's MTU, resulting in fragmented future answers.
According to the investigators, the newly found side channels affect the most popular DNS software, like BIND, Unbound, and dnsmasq operating on top of Linux. An approximate 13.85% of open resolvers are impacted. Furthermore, the researchers demonstrate an end-to-end attack against one of the most recent BIND resolvers and a home router that just takes minutes to complete.
This unique attack can be avoided by configuring suitable socket options, such as asking the operating system not to accept ICMP frag required messages, which eliminates the side-channel; randomizing the kernel shared caching structure itself, and refusing ICMP redirects. As a result of the revelation of this new vulnerability, the Linux kernel has indeed been fixed to randomize the shared kernel structure for both IPv4 and IPv6.
