
A recent research shows the existence of previously overlooked side channels in the Linux kernels that can be exploited to attack DNS servers.
DNS has been a fragile part of the security chain. Efficiency was the primary consideration of DNS, leading to the design of a single query and response over UDP. While DNS security features are available, including DNSSEC and DNS cookies, they are not widely deployed due to backward compatibility, the only approach to make DNS more secure has been the randomize of UDP ports, known as ephemeral ports, with the aim to makes it harder for an attacker to discover them.
Several attacks to DNS have been discovered in the past, including the recent SAD DNS, a variant of DNS cache poisoning that allows an attacker to inject malicious DNS records into a DNS cache, thus redirecting any traffic to their own server and becoming a MITM attack.
Recently researchers who disclosed SAD DNS have uncovered side channels vulnerabilities that had gone undetected inside the Linux kernel for over a decade. Those vulnerabilities enable the use of ICMP probes to scan UDP ephemeral ports and allowed the researchers to develop new DNS cache poisoning attacks.
The research focused on two types of ICMP error messages, ICMP fragment needed and ICMP redirect. The Linux kernel processes those messages using shared resources that form side channels. An attacker can target a specific port where they send ICMP probes. If the targeted port is correct, this will cause some change in the shared resource state that can be observed indirectly, thus confirming the guess was right.
The newly discovered side channels affect the most popular DNS software, including BIND, Unbound, and dnsmasq running on top of Linux. An estimated 13.85% of open resolvers are affected. Additionally, an end-to-end attack against the latest BIND resolver and a home router only taking minutes to succeed.
The Linux kernel has been patched both for IPv4 and IPv6 to randomize the shared kernel structure. BIND 9.16.20 sets IP_PMTUDISC_OMIT on IPv6 sockets.