Vigil@nce - DNS, ISC BIND: no expiry of revoked names
February 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When a domain name was revoked, an attacker can periodically query
a recursive DNS server, in order to continuously renew data in the
cache, which never expire.
Severity: 2/4
Creation date: 08/02/2012
Revision date: 09/02/2012
IMPACTED PRODUCTS
– ISC BIND
– Microsoft Windows 2008
– Protocol DNS
DESCRIPTION OF THE VULNERABILITY
A DNS recursive server keeps previous replies in its cache. For
example, if a user requests "www.phishing.com":
– his DNS server queries a server which is authoritative for
".com" : who is the DNS server of "phishing.com" ?
– it receives the reply "ns.phishing.com" with the IP address
10.0.0.1, and a TTL (expiration time) of one day
– it keeps it in its cache
– it queries 10.0.0.1 : what is the address of "www.phishing.com"
?
– it receives the reply, and keeps it in its cache, and then
sends it back to the user
When another user queries "www.phishing.com", the values cached
during one day are returned
If an authority decides to disable "phishing.com", the cached
value is still used one day. After this date, the DNS server will
query an authoritative server for ".com", which will reply that
the domain does not exist.
However, an attacker can ensure that the "phishing.com" domain
never expires from the cache of the DNS server. In order to do so,
before the expiration of the TTL, the attacker has to:
– add in his DNS server (ns.phishing.com) a reverse resolution
for 10.0.0.1, indicating for example "ns1.phishing.com", which
is also an authoritative DNS server for "phishing.com"
– query the victim’s recursive DNS server, for an inverse
resolution of 10.0.0.1 (the reply will be ns1.phishing.com),
which will be cached as the new DNS server of "phishing.com",
with a TTL of one day
The "phishing.com" domain is thus valid during one more day.
When a domain name was revoked, an attacker can therefore
periodically query a recursive DNS server, in order to
continuously renew data in the cache, which never expire.
This vulnerability is due to a conception error in the DNS
protocol.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/DNS-ISC-BIND-no-expiry-of-revoked-names-11344