DNS/lame_delegation/misconfigurationsについて、ここに記述してください。
Security and Robustness in the Internet Infrastructure
Krishna Kant, Casey Deccio, in Handbook on Securing Cyber-Physical Critical Infrastructure, 2012
https://www.sciencedirect.com/topics/computer-science/misconfigurations
28.2.3 DNS Misconfiguration and Attack Scenarios Various misconfigurations can degrade the availability of a domain name. One problem is inconsistency between the delegation NS RRset in the parent zone and the authoritative NS RRset in the child zone. Extraneous servers referenced in the parent zone can lead to unresponsive or lame servers – those that do not respond authoritatively for zones that they are advertised for. Such servers, just as servers missing from the delegation RRset, might increase the chance for resolution failure. Another common misconfiguration affecting availability is the omission of necessary glue records. This void creates a cyclic dependency, such as that shown in Figure 28-2, caused by a missing glue record for ns2.foo.net. The misconfiguration limits the options in the resolution path for the dependent domain name, reducing availability, as shown in Figure 28-3. Cyclic dependencies can also be caused by other, more subtle misconfigurations. Regardless of cause, these can result in an increased potential for resolution failure. Proper configuration and maintenance of a DNS deployment will ensure that its namespace remains highly available for resolution. DNS misconfigurations are further explained and their impact is quantified in [5, 6].
リゾルバーへの毒盛攻撃 (独立した項目)
The fundamental nature of its functionality and its inherent insecurity have made the DNS the target of attack since its inception. Various vulnerabilities in protocol and implementation have facilitated exploits, which lead to compromise at higher levels. For example, a malicious party might fabricate a response to a query for www.foo.net to redirect Web clients from its legitimate Internet address to a server set up to collect private information. One of the largest targets in the DNS is the transport mechanism. The User Datagram Protocol (UDP) is typically used for DNS queries, and UDP identifies related packets using only source and destination port. The destination port for DNS requests (and therefore, the source port for DNS responses) is well known (port 53), so the problem space becomes guessing the unknown, 16-bit UDP port and an additional 16-bit identifier supplied in the header of the DNS packet itself. Two prominent attacks that seek to narrow the problem space to correctly guess the bit sequence for the response that a client is expecting are the birthday attack [7] and the Kaminsky attack [8]. In the birthday attack, an attacker issues a large number of requests for the same name to a recursive resolver, resulting in an equal number of simultaneous requests open for that name on vulnerable resolver implementations. Each open request increases the chance for a successful spoof by an attacker, whose forged packet may match any of the open requests. Thus, the number of attempts required by the attacker to achieve success is lessened significantly, according to the birthday paradox. After a resolver receives a response from an authoritative server, the answer remains in its cache until it expires, which means that future queries to the resolver for the same name will not induce queries to the authoritative server. However, the Kaminsky attack skirts this limitation by making requests for non-existent names. For this approach, there is no limit to queries that can be elicited by the resolver because non-existent names are in rich supply to the attacker. The objective is not to poison the RRs of the answer itself, but rather the NS RRset returned in authoritative responses, which indicates the names of authoritative servers. The attacker, if successful, can redirect all queries for names in the compromised namespace to malicious servers, now recognized by the resolver as “authoritative” for the hijacked domains. The deficiency of sufficient UDP source-port randomization in a resolver implementation reduces the problem space to guessing the 16 bits from the DNS query identifier through repeated queries. Successful injection leads to cache poisoning, in which an illegitimate response is stored in a resolver's cache until expiration, which may be set arbitrarily long by the attacker. Until the response is expunged, the resolver will continue to use the false information.