MoinQ:

1. DNS/毒盛/AncillaryDataAttacks

付帯的なデータと言える。

https://tools.ietf.org/id/draft-weaver-dnsext-comprehensive-resolver-00.html September 30, 2008

これらを無視するresolver実装はDeadwood(MaraDNS)とKnot DNS resolverです。

Unboundもharden-referral-pathオプションを指定すると、より安全になります。

DNS/脆弱性/GhostDomainNames

参考: http://conferences.sigcomm.org/hotnets/2014/papers/hotnets-XIII-final127.pdf

逆に「外部名に対するAdditional」を受け入れるあぶないリゾルバーが見つかりました。/1.1.1.1 など。

2. Knot DNS での扱い

[knot-dns-users] minimal responses Marek Vavruša marek.vavrusa at http://nic.cz Mon Sep 14 08:50:11 CEST 2015

https://lists.nic.cz/pipermail/knot-dns-users/2015-September/000704.html

NS in the authority section is really extra data and shouldn't be cached,
as it gives the attacker a tool to joust valid NSs out of cache 
with spoofed ones much more easily.

/BIND脆弱性

/MX付随毒

/1.1.1.1


整形してあります。


https://tools.ietf.org/id/draft-weaver-dnsext-comprehensive-resolver-00.html

3. 10章

10. Cache Policy, Scoping, and Ancillary Data Attacks

RFC 2181 section 5.4.1 [RFC2181] is the current specification for how to accept ancillatory data.

It allows ancillatory data, if "in bailywick" (from a server which should be an authority for this name), 
to be cached for subsequent use, although it should not be returned as an answer.
It is this caching of ancillatory data that enables the "race-until-win" Kaminski blind cache attack.

Likewise, before bailywick-checking was deployed, ancillatory data was used for classic glue poisoning.

The ancillatory data includes all the data beyond the direct answer to the query (including the NS RRSet, A records associated with the NS RRSet, A records associated with a CNAME for the direct answer, or any other data).

This data serves four purposes:

This suggests that items have a different role in two scopes, analogous to how programming languages view scope:

Within the local scope, for purposes of resolving the direct question, ancillary data often must be trusted: otherwise authoritative nameservers may not be reachable when they exist within the domain being queried or in other cases where domains host each-others nameservers.

Yet for the purposes of resolving a query, if an authority lies about the ancillatory data, it could just as easily lie about the direct answer, making this data no less trustworthy for processing this answer.

Yet for purposes of inclusion into the global scope, or for returning as the response to a query, ancillary data must not be trusted.

It is, by definition, unsolicited information and not an authoritative response, and lies at the heart of the Kaminski attack. If a recursive resolver never accepts ancillary data into the cache, it becomes impossible to target a single name with a race-until-win blind attack.


However, a resolver may safely perform an independent fetch for any piece of ancillary data.

This second fetch must not reuse the local scope of the previous fetch, but instead be fetched using a new local context. This enables both the use of ancillary data in responses (such as A records involved in CNAMES) and to speed subsequent responses (such as obtaining the NS RRSet for subsequent lookups).

As an example, suppose the query for 'www.example.com' returns

www.example.com CNAME server.example.com,
example.com NS ns.example.com, 
ns.example.com A 12.34.56.78,
server.example.com A 12.34.56.90'.

The resolver can succesfully cache and return 'www.example.com CNAME server.example.com', but must perform independent queries to fetch the NS RRSet and the A records for ns.example.com and server.example.com, and it can't return 'www.example.com CNAME server.example.com, server.example.com A 12.34.56.90' to the final client until the lookup for server.example.com completes.

As a result, all information which is either placed in the global scope or returned to the final client will be validated directly by querying the proper authoritative server. There are no race-until-win attacks possible for including a name into the cache, as inserting a name only would take place if it doesn't exist in the cache which limits any attempt to once every TTL.

This is more restrictive than the policy in RFC 2181 section 5.4.1 [RFC2181]. The RFC policy allows ancillary data to be accepted into the global scope (cache) for purposes of subsequent query processing, which enables race-until-win attacks.

Although the RFC states that the final client should also not accept these authority or additional records, it is unclear whether the stub resolver follow the RFC. Thus a well structured recursive resolver should return results which are safe even if the client does cache additional records in violation of the RFC.


The simplest mechanism for validation is to perform an explicit fetch, a policy being implemented in Unbound [unbound]:

For CNAMEs and A records that are not the direct answer to the query, such records are not accepted directly but are instead fetched independently.

For the NS record and associated A records, the separate global and local scope is approximated by validating the NS RRSet and all elements within it using subsequent separate fetches.


There is some minor uncertanty if this is a close-enough approximation for the NS RRSet. There exists a short-term time window where the NS RRSet and A records would be in the cache but unvalidated, which may provide a narrow opportunity for abuse. However, this policy does not require new data structures to maintain the local scope of a recursive query, and the abuse window is probably sufficiently small.

Note that if an explicit local scope is maintained, such a policy of fetching all ancillary data rather than including it subsumes bailiwick checking for accepting data into the cache, as no data is included into the cache for any use that was not explicitly requested from an authoritative server.

MoinQ: DNS/毒盛/AncillaryDataAttacks (last edited 2024-09-15 03:35:19 by ToshinoriMaeno)