1. SAD DNS

https://www.saddns.net/ --- /sections

DNSキャッシュ毒盛攻撃が強力になって、復活した(死んではいないが)。/CVE-2020-25705

私の対策: DNS Cookie を使いましょう。使えない相手にはTCPで問い合わせよう。

BIND, unbound, dnsmasq が言及されている。/knot-resolver には言及なし。

https://twitter.com/CZ_NIC/status/1329417736552910852?s=20

https://en.blog.nic.cz/2020/11/19/knot-resolver-is-not-sad-dns-resolver/

/対策 /8.1

A Simple Explanation About SAD DNS and Why It Is a Disaster (or a Blessing) /Sergio

Why SAD DNS Isn’t So Sad with SOLIDserver 24 November 2020 https://www.efficientip.com/sad-dns-solidserver/

?utm_source=social&utm_medium=twitter&utm_campaign=bp-sad-dns

/cloudflare による解説では基礎知識も説明されているので、 ここを先に確認してから論文を読むことを勧める。-- ToshinoriMaeno 2020-11-14 22:50:55

/警告例 https://twitter.com/Tr3s0r/status/1328198988479295488?s=20

一週間過ぎて、日本語のblogが出た。https://twitter.com/knqyf263/status/1329381990840274944?s=20

probeのための返答はしてもらわないとだめだ。

1.1. 要点

CVE-2020-25705

INFERRING DNS QUERY’S SOURCE PORT /4

Extending attack window. /5

1.2. UDPスキャンでUDPパケットを送信したとき

応答なし⇒ポート空いてる
ICMP port unreachable⇒ポート閉じてる

この情報だけでは不十分。

global rate limite の問題 https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cao.pdf

CVE-2020-25705 POC https://github.com/tdwyer/CVE-2020-25705/blob/main/cve-2020-25705.py

/調査

1.3. 論文リンク

DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels<(Disthinguished Paper Award) [PDF] [Slides] [Video]

Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan In Proceedings of ACM Conference on Computer and Communications Security (CCS`20), November 9-13, 2020, Virtual Event, US

ISCの愚痴: https://www.isc.org/blogs/2020-saddns/

Linux “weakness” is *SECURITY* – ‘DNS cache Poisoning Attacks’ https://linuxnewbiesince1996.wordpress.com/2020/11/15/linux-weakness-is-security-dns-cache-poisoning-attacks/

https://www.saddns.net/

Am I affected by the vulnerability?

Likely, as long as you are using a vulnerable DNS service (e.g., 8.8.8.8 or 1.1.1.1).

Most public resolvers have been checked to be vulnerable. 

If you are using private DNS services (i.e., those provided by your ISP or your organization), we do not have sufficient data but there is a good chance that it is vulnerable as well. 

Refer to this question for more details.

1.4. history

Your DNS server IP is 162.158.117.60
It seems your DNS server is running Linux > 3.18
Since it is running the vulnerable version of OS that has not been patched yet, your DNS server is vulnerable.
The test is conducted on 2020-11-13 08:28:04.737081966
Disclaimer: This test is not 100% accurate and is for test purposes only.

158.162.in-addr.arpa.   1621    IN      NS      cruz.ns.cloudflare.com.
158.162.in-addr.arpa.   1621    IN      NS      kevin.ns.cloudflare.com.


CategoryDns CategoryWatch CategoryTemplate

MoinQ: DNS/毒盛/2020/saddns.net (last edited 2020-11-24 11:19:01 by ToshinoriMaeno)