Survey: How Do You Configure DNS Resolvers?
• 8 min read
DNS resolvers are constantly adding features without removing any. This trend cannot continue indefinitely because the software could eventually break under its own weight. Which features are used in practice and which can be safely removed? We present preliminary results of a survey among DNS reso…
There are certainly similarities and authors have acknowledged previous work by Florian Maury in the NXNSAttack paper. Allow me to quote the NXNSAttack paper https://cyber-security-group.cs.tau.ac.il/dns-ns-paper.pdf here: Maury [18] presents a different attack that also ex- ploits the delegations of name-servers in a referral re- sponse. However, the attack (called iDNS attack) PAF is at most 10x. In iDNS the attacker’s name-server sends self-delegations (back and forth to the attacker’s name- server) up to an infinite depth. A major difference from our work is that the glueless name-servers in the iDNS attack are never used against an external server such as a victim name-server. Some measures have been taken by different DNS vendors such as BIND and UNBOUND following the disclosure of iDNS described in [18], how- ever these measures do not affect and do not weaken the NXNSAttack. Unbounded work in any implementation is surely a bad idea and Paul Mockapetris was surely right, there are no doubts about this. Having said that I do not agree that NXNSAttack can be dismissed as nothing new. Researchers found an exploitable flaw in several DNS resolver implementations, and several vendors released software with mitigation for NXNSAttack, so it is not just theoretical problem, and surely not the same as in 2015 because mitigations introduced back then (see CVE-2014-8500, CVE-2014-8601, CVE-2014-8602) did not save us in 2020. On more generic note, attempting to categorize all "unbounded work problems" as "the same flaw" is equivalent to declaring all these flaws equivalent to halting problem from computability theory - that is technically correct but really not helpful for anyone except for computability theory researchers. This view is reinforced by fact that MITRE CVE classification has special categories for variants of this problem (CWE-405, CWE-406, CWE-1050 are first three I found right now). That very strongly suggests security community cares enough to distinguish individual "insufficiently bounded work" problems no matter what protocol or software it affects. To conclude: No matter if you consider this novel attack or not please upgrade if your software is affected.
Showing 1 comment(s)