1. The Hitchhiker’s Guide to DNS Cache Poisoning
http://www.cs.utexas.edu/~shmat/shmat_securecomm10.pdf
6th Iternational ICST Conference, SecureComm 2010, Singapore, September 7-9, 2010. Proceedings pp 466-483
Sooel Son and Vitaly Shmatikov The University of Texas at Austin
Abstract.
DNS cache poisoning is a serious threat to today’s Internet. We develop a formal model of the semantics of DNS caches, including the bailiwick rule and trust-level logic, and use it to systematically investigate different types of cache poisoning and to generate templates for attack payloads. We explain the impact of the attacks on DNS resolvers such as BIND, MaraDNS, and Unbound and their implications for several defenses against DNS cache poisoning.
1 Introduction 2 DNS Background 2.1 Resource record set 2.2 Caching and recursive resolution 3 DNS Response Forgery 3.1 Cache poisoning without response forgery 3.2 Blind response forgery using birthday attack 3.3 Response forgery using eavesdropping 4 The Bailiwick Rule 5 Cache Overwriting 6 Formal Model of DNS Resolver 6.1 Modeling methodology 6.2 Base data types 6.3 Cache initialization 6.4 Non-overwritability 6.5 Bailiwick rule 7 Taxonomy of Cache Poisoning Attacks 7.1 Adding a new CNAME record 7.2 Adding a subdomain under an existing authority 7.3 Overwriting an existing A record 7.4 Overwriting an existing NS record 7.5 Creating fake domains 7.6 Hijacking a popular domain via a sub-authority 8 Defenses 9 Conclusion
We presented a formal model of DNS cache semantics, including the bailiwick and trust-level rules used by common resolver implementations, and analyzed it with the ProVerif protocol analysis tool.
The result is a comprehensive taxonomy of cache poi- soning attacks, showing (1) which parts of the cache can be poisoned, (2) conditions necessary for each attack, and (3) consequences of each attack. Furthermore, our anal- ysis enabled us to produce payload templates for each attack.
We argue that our formal model is an essential tool for understanding the subtle caching rules used by modern DNS resolvers and developing robust defenses against DNS cache poisoning.
それでも、co.jp のようなケースは抜けていたと考えている。 -- ToshinoriMaeno 2014-06-11 05:31:06