• caglararli@hotmail.com
  • 05386281520

Does subdomain DNS cache poisoning depend on the authoritative name server ignoring requests for non-existing domains?

Çağlar Arlı      -    16 Views

Does subdomain DNS cache poisoning depend on the authoritative name server ignoring requests for non-existing domains?

I'm reading "Introduction to Computer Security", Pearson New International Edition, 1st edition, by Goodrich and Tamassia.

On the subject of DNS cache poisoning, they mention that a "new" attack was discovered in 2008, so-called "subdomain DNS cache poisoning". This is how that attack is supposed to play out:

  1. An attacker makes many requests to a name server for non-existing subdomains, say aaaa.example.com, aaab.example.com, aaac.example.com, etc.
  2. The book mentions that these subdomains don't exist, and that, therefore, the target authoritative name server just ignores the requests.
  3. Simultaneously, the attacker issues spoofed responses to the requests made by the name server under attack, each with a guessed transaction ID (which is randomly chosen and unknown to the attacker).
  4. Because the target authoritative name server ignores requests for non-existing domains, the attacker has opportunity to issue a lot of spoofed responses, making it likely that she will guess the correct transaction ID.

The book was written in 2011, so something might have changed in the meantime. When I dig for a non-existing subdomain, e.g. aaaa.example.com, I get a NXDOMAIN response:

$ dig @a.iana-servers.net. aaaa.example.com. +norecurse

; <<>> DiG 9.16.16 <<>> @a.iana-servers.net. aaaa.example.com. +norecurse                                  
;; global options: +cmd                              
;; Got answer:            
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20391                                                 
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
# ... snip ...

I would assume that any non-authoritative name server would put this negative result in its cache (as it should according to RFC 2308, written in March 1998).

Was it previously common practice for name servers to ignore (= not send a reply to) requests for non-existing subdomains? Has that been replaced with the NXDOMAIN reply that I see today? Is conducting the attack as described above still possible?

Edit

Turns out it was Dan Kaminsky who thought of this attack.

In this DEF CON video, he explains that at the time (2008), several authoritative name servers would not respond to certain types of DNS queries ("request polluters"), including:

  • Unknown QTYPE (e.g. FOO instead of A)
  • Unknown QCLASS (e.g. BAR instead of IN)
  • Non-existing names