Information Assurance

Christina Kawka


front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

Windows DNS Cache Poisoning by Forwarder DNS Spoofing

Original Source

back to bugtraq analyses page

What the problem is:

A few years ago it was reported that Windows DNS server is vulnerable to the cache poisoning attack.This poisoning attack against Windows DNS would be successful in the case when the forwarder DNS server itself is vulnerable to the poisoning attack or the forwarder DNS server does not filter out the bogus records in the poisoning attack.

But now there seems to be other possible scenario, and in this case, the possibility of successful attack does not depend on the type or version of the forwarder DNS server. Therefore, the risk of the Windows DNS cache poisoning attack is higher than generally perceived.

Windows DNS also has characteristic that it is vulnerable to the DNS spoofing attack using "birthday attack". By sending multiple simultaneous queries and forged replies to the Windows DNS server, attacker can inject a spoofed reply relatively easily if its arrival is earlier than the reply from the legitimate DNS server.

Both of these are known vulnerabilities Windows DNS, and each of them individually is not high risk becausethey require some preconditions to be successfully exploited. However, by executing the cache poisoning attack in conjunction with DNS spoofing, it will be more effective attack and the risk will be higher than before.

Here is the scenario:

1) Attacker sends multiple simultaneous recursive queries (e.g. 500 queries) to the Windows DNS server, resolving the name in attacker's domain.

2) Windows DNS forwards those queries to the Forwarder DNS server.

3) Forwarder DNS sends queries to the Attacker DNS server to resolve the name.

4) Attacker DNS does not reply at all and Forwarder DNS waits for timeout.

5) Attacker sends multiple simultaneous replies (e.g. 500 replies) spoofing Forwarder DNS ip address with random query id. Each reply includes forged resource records to poison the Windows DNS cache.

6) Windows DNS accepts certain spoofed reply if its query id matches one of the queries from the Windows DNS and finally Windows DNS cache is poisoned.

To accomplish this attack, the attacker must know the udp port number of the Windows DNS server. The attacker can know it simply by sending a query packet to the Windows DNS server resolving some names in attacker's domain, because, by default, Windows DNS issues recursive query by itself if the forwarder does not respond.

Windows DNS uses same source port number unless the service restarts. Thus the attacker can use this port number for the attacking reply packets as udp destination port.
What could have prevented it?

Windows DNS could not blindly trust replies from forwarder DNS. Also, it should not cache every resource record, regardless of their domain.
What can be done to work around it?

A possible mitigation against birthday attacks (on the server software level) are to not reuse source ports for DNS requests. Instead, have every request to be issued from different source ports.

Secondly, a table could be kept of issued requests. Then a new request for the same name would not be issued before a response for the previous one is received

Additionally, there should be monitoring to see if multiple replies are received for a single request.

Lastly, recursive queries to the Windows DNS server from outside of the site should be rejected. This will help to prevent direct attacks from the Internet.

The only complete solution is to stop using forwarder.
What can be done to prevent it from occurring in the future?

DNS servers should not blindly trust replies from forwarder DNS.

Limit the cache, and check that it's not keeping additional records.

Not make security systems that use or rely on DNS.

Use cryptography like SSL. Even if the problem remains the same, it increases the difficulty level.