MoinQ:

DNS/FCP/4.1.2

4.1.2 Injecting A RR to DNSKEY Response

When the second fragment contains at least one complete record (excluding the EDNS RR)
in the additional section, the attacker can replace the IP address in the fragment with a spoofed IP.

In this attack we spoof the P for the name server of org domain, in a DNS response for a DNSKEY of org domain.

In Figure 9 the resolver issues a DNS request for the DNSKEY of org;

this is an indirect way to trigger a query, i.e., the resolver asks for the DNSKEY of some domain automatically, when the DNSKEY expires from cache, or when it needs to validate records for that domain, e.g., to be able to validate an A record or a non-existing domain (NSEC3) record;

an attacker may also be able to cause a resolver, which does not support DNSSEC, to issue such a query, by sending an appropriate request to the resolver.

This query type is useful if the response to an nxdomain query is not fragmented.

Spoofer 6.6.6.6 Spoofer 6.6.6.6 Name Server ORG 199.249.112.1 Name Server ORG 199.249.112.1 SrcIP:199.249.112.1 dstIP: 132.70.6.202 IP-ID: 777 Offset:0 PAYLOAD: ... SrcIP:199.249.112.1 dstIP: 132.70.6.202 IP-ID:777 Offset:1480 PAYLOAD: ... Resolver's Cache DNSKEY?ORG SrcIP: 199.249.112.1 dstIP: 132.70.6.202 IP-ID: 777 Offset:1480 PAYLOAD: ...

ORG NS b0.org.afilias-nst.ORG b0.org-afilias-nst.ORG A 6.6.6.6 1 2 3 5 Recursive resolver 132.70.6.202 Recursive resolver 132.70.6.202 Discarded after 30 seconds 4

Figure 9: NS poisoning attack of name server IP of org domain.

The resolver issues a query for a DNSKEY (e.g., when it expires from cache, 15 minutes for org), and the spoofer sends a poisoned second fragment containing the forged entries of org.

The query for DNSKEY of org can also be triggered indirectly by issuing a query for nonexisting (or for some other) domain within org.

The annotated screen caption of the attack in Figure 9 is illustrated in Figure 10, presents the out- come of the attack. The first line (122) contains the ‘forged second fragment’; this fragment is kept in the defragmentation cache of the resolver, waiting for a matching first fragment (i.e., with the same set of (source IP=199.249.112.1, dest IP=132.70.6.202, fragment ID=7c6e, protocol=UDP) ). In the next line (133), the resolver sends the DNS query to the name server.

Next line (134) is the first fragment of authentic re- sponse to the query, sent by the name server of org (at IP 199.249.112.1).

This response matches the fake second fragment already in the defragmentation cache, hence it appears as a complete DNS response packet.

The contents of this packet are described in the lower panes; in particular, see the two forged resource records in the additional section, which contain incorrect (adversarial) IP addresses for two of the name servers of the org domain.

Finally, notice that the authentic second fragment, received in line 135, has no matching first fragment (since the one received was already reassembled with the spoofed second fragment).

Hence, it is entered into the defragmentation cache, where it is likely to remain until discarded (typically, after maximal lifetime of about 30 seconds).