Omer Ben-Simhon and Amit Klein, Hebrew University of Jerusalem
The Domain Name System (DNS) underpins virtually all Internet services, making the integrity of DNS resolution critical to security and availability. We present a comprehensive study of a novel class of DNS cache poisoning attacks against BIND9,the most widely deployed open-source DNS resolver. Our attack focuses on two keycapabilities that set it apart from most prior work: (1) reliably predicting both critical challenge parameters– the UDP source port and TXID– whereas most existing attacks target only one; and (2) performing this prediction entirely from the client side, without attacker-operated authoritative servers for attacker domains, which to our knowledge is a first. We achieve this by exploiting weaknesses in BIND's pseudo-random number generation, enabling highly reliable prediction even under realistic network conditions. In addition to the client-side-only techniques, we also develop server-side techniques which are needed in order to attack the older 9.18 branch of BIND 9. We evaluate our attacks and demonstrate practical success rates across multiple BIND 9 release branches and configurations. All vulnerabilities were responsibly disclosed to the Internet Systems Consortium (ISC) and the FreeBSD Project, leading to two patches and CVEs and acknowledgments.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
