DNS/FCP/4.1.1について、ここに記述してください。

/1_Introduction   /2   /2018   /3   /4   /4.1   /4.1.1   /4.1.2   /4.2   /4.3   /5   /BIND   /Brandt_abstract   /IPv4   /JPRS   /Let's_Encrypt   /Path_MTU_Discovery   /Subdomain_Injection   /UDPpayload   /abstract   /edns_size   /haya   /haya-abstract   /ifconfig   /kresd   /mueller   /net.inet.ip.random_id   /nic.cz   /root-dnskey   /フラグメント処理   /対策   /構成の説明   /考察  

[tssさんが示したように、Unboundは脆弱だった。PowerDNS Recursorは当分直らない。 -- ToshinoriMaeno 2018-11-20 23:44:36 ]

4.1.1 Injecting NS RR to NSEC3 Response

Typically, responses of type ‘non-existing domain (nxdomain) name error’ or ‘no data no error’, in domains that support NSEC3, are of size between 1700 to 2000 bytes on average, and when fragmented, at least one record from the authority section appears in the second fragment.

This allows the attacker to replace the authentic NSEC3 or RRSIG RR(s) with a NS RR for a new name server; Figure 6. 

Figure 6: Poisoning an nxdomain (or no data) response, by replacing the NSEC3 RR with an NS RR.

If the response does not contain any other NS RRs then the attacker can set an arbitrary high TTL, e.g., 6 days, to ensure that his RR stays in cache even when the authentic NS RRs for that domain expire.

The attacker triggers a DNS request (via a puppet) and synchronises (steps 1 and 2, Figure 6).

Then (step 3) the attacker sends a spoofed second fragment containing an NS RR for domain sec.cs.biu.ac.il.

This spoofed fragment is combined with the authetic first fragment (step 3) and enters the cache; the authentic second fragment is discarded after a timeout (step 5).

Note that the attacker can provide any arbitrary NS RR, in particular, one that is not in the same domain as the victim; in this attack we spoofed the response with name or a new NS RR, i.e., ams.sec.cs.biu.ac.il, in our domain, i.e.,sec.cs.biu.ac.il, for testing purposes to observe that the subsequent queries of the resolver to domain sec.cs.biu.ac.il are sent to ams.sec.cs.biu.ac.il and responses get cached.

To find the IP of the new NS the resolver initiates a request for the A RR, and receives and caches the IP supplied by the attacker (who controls that name server).

The wireshark capture of the resulting poisoned DNS response is in Figure 7.

The authentic fragment contained part of the RRSIG and two complete records, i.e., NSEC3 and a corresponding RRSIG.

The spoofed fragment contained the authentic part of the RRSIG, spanning the first and second fragments, and two fake NS records which replaced the authentic NSEC3 and RRSIG.

Note that since the RRSIG (as well as NSEC3) are much larger than NS RRs, the attacker has to pad the packet (with zeros) to the required length;

the checksum is adjusted in the padded area after the EDNS RR.

For a comparison, see the authentic DNS response in Figure 8

Figure 8: An authentic nxdomain response for domain sec.cs.biu.ac.il