Haya Shulman: Towards a Secure DNS
Towards a Secure DNS (Dec 13, 2pm, SBA)
Most caching DNS resolvers still rely for their security, against poisoning, on validating that the DNS responses contain
some ‘unpredictable’ values, copied from the request. These values include the 16 bit identifier field, and other fields, randomised and validated by different ‘patches’ to DNS. We investigate the prominent patches, and show how off-path attackers can circumvent all of them, exposing the resolvers to cache poisoning attacks. We present countermeasures preventing our attacks; however, we believe that our attacks provide additional motivation for adoption of DNSSEC (or other MitM-secure defenses). We then investigate vulnerabilities in DNSSEC configuration among resolvers and zones, which reduce or even nullify the protection offered by DNSSEC. Finally we provide our recommendations and countermeasures to prevent the vulnerabilities.