MaginotDNS Attacks Exploit Weak Checks for DNS Cache Poisoning

Cyber Security Threat Summary:
Researchers from UC Irvine and Tsinghua University have introduced a cache poisoning attack named 'MaginotDNS' that targets Conditional DNS (CDNS) resolvers, potentially compromising entire top-level domains (TLDs). This attack capitalizes on security inconsistencies in various DNS software and server modes, rendering around one-third of CDNS servers vulnerable. The attack, presented at Black Hat 2023, has been resolved at the software level. MaginotDNS differs from previous DNS cache poisoning attacks by targeting the forwarding mode of CDNS, breaching the cache protection boundary. The researchers identified vulnerabilities in DNS software like BIND9, Knot Resolver, Microsoft DNS, and Technitium. While the vulnerabilities have been fixed, administrators must apply patches and proper configurations for full mitigation.

Security Officer Comments:
The attack involves predicting source ports and transaction IDs of the target's recursive DNS server. Using a malicious DNS server, attackers send forged responses with precise parameters, achieved through brute force or side-channel methods. MaginotDNS capitalizes on shared global DNS cache in CDNS resolvers. By attacking forwarding mode, attackers breach the cache's boundary, potentially compromising DNS cache security. Researchers scanned the internet, spotting vulnerable CDNS servers and flaws in DNS software like BIND9, Knot Resolver, Microsoft DNS, and Technitium. Vendors addressed these vulnerabilities.

Suggested Correction(s):
Administrators of CDNS servers must apply patches and follow recommended configuration guidelines to fully mitigate these vulnerabilities.

Link(s):
https://www.bleepingcomputer.com/