10.1145/3472305.3472884acmconferencesArticle/Chapter ViewAbstractPublication PagescommConference Proceedingsconference-collections
short-paper

DNS-over-TCP considered vulnerable

Online:24 July 2021Publication History

ABSTRACT

The research and operational communities believe that TCP provides protection against IP fragmentation attacks and recommend that servers avoid sending DNS responses over UDP but use TCP instead.

In this work we show that IP fragmentation attacks also apply to servers that communicate over TCP. Our measurements indicate that in the 100K-top Alexa domains there are 393 additional domains whose nameservers can be forced to (source) fragment IP packets that contain TCP segments. In contrast, responses from these domains cannot be forced to fragment when sent over UDP.

Our study not only shows that the recommendation to use TCP instead of UDP in order to avoid attacks that exploit fragmentation is risky, but it also unveils that the attack surface due to fragmentation is larger than was previously believed. We evaluate IP fragmentation-based DNS cache poisoning attacks against DNS responses over TCP.

References

  1. 2020. DNS Flag Day 2020. https://dnsflagday.net/2020/Google ScholarGoogle Scholar
  2. Ron Bonica, Fred Baker, Geoff Huston, Bob Hinden, Ole Troan, and Fernando Gont. 2019. IP fragmentation considered fragile. Technical Report. IETF Internet-Draft (draft-ietf-intarea-frag-fragile), work in progress ....Google ScholarGoogle Scholar
  3. Markus Brandt, Tianxiang Dai, Amit Klein, Haya Shulman, and Michael Waidner. 2018. Domain validation++ for mitm-resilient pki. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2060--2076. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M Maggs, Alan Mislove, and Christo Wilson. 2017. A longitudinal, end-to-end view of the {DNSSEC} ecosystem. In 26th {USENIX} Security Symposium ({USENIX} Security 17). 1307--1322. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. J Dickinson, S Dickinson, R Bellis, A Mankin, and D Wessels. 2016. RFC7766: DNS transport over TCP-implementation requirements.Google ScholarGoogle Scholar
  6. Xuewei Feng, Chuanpu Fu, Qi Li, Kun Sun, and Ke Xu. 2020. Off-Path TCP Exploits of the Mixed IPID Assignment. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 1323--1335. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. K Fujiwara and P Vixie. 2020. Fragmentation Avoidance in DNS. Technical Report. IETF Internet-Draft (draft-fujiwara-dnsop-avoid-fragmentation-03), work in progress ....Google ScholarGoogle Scholar
  8. Yossi Gilad and Amir Herzberg. 2011. Fragmentation considered vulnerable: blindly intercepting and discarding fragments. In Proceedings of the 5th USENIX conference on Offensive technologies. 2--2. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Matthias Göhring, Haya Shulman, and Michael Waidner. 2018. Path MTU Discovery Considered Harmful. In 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS). IEEE, 866--874.Google ScholarGoogle Scholar
  10. Amir Herzberg and Haya Shulman. 2013. Fragmentation Considered Poisonous, or: One-domain-to-rule-them-all.org. In 2013 IEEE Conference on Communications and Network Security (CNS). IEEE, 224--232.Google ScholarGoogle ScholarCross RefCross Ref
  11. Amir Herzberg and Haya Shulman. 2013. Vulnerable delegation of DNS resolution. In European Symposium on Research in Computer Security. Springer, 219--236.Google ScholarGoogle ScholarCross RefCross Ref
  12. Philipp Jeitner and Haya Shulman. 2021. Injection Attacks Reloaded: Tunnelling Malicious Payloads over {DNS}. In 30th {USENIX} Security Symposium ({USENIX} Security 21).Google ScholarGoogle Scholar
  13. Philipp Jeitner, Haya Shulman, and Michael Waidner. 2020. The Impact of DNS Insecurity on Time. In 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 266--277.Google ScholarGoogle Scholar
  14. Philipp Jeitner, Haya Shulman, and Michael Waidner. 2020. Pitfalls of Provably Secure Systems in Internet The Case of Chronos-NTP. In 2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S). IEEE, 49--50.Google ScholarGoogle Scholar
  15. Charlie Kaufman, Radia Perlman, and Bill Sommerfeld. 2003. DoS protection for UDP-based protocols. In Proceedings of the 10th ACM conference on Computer and communications security. 2--7. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Christopher A Kent and Jeffrey C Mogul. 1987. Fragmentation considered harmful. Vol. 17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Amit Klein and Benny Pinkas. 2019. From IP ID to Device ID and KASLR Bypass. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 1063--1080. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. LetsEncrypt. 2018. Mitigating DNS Fragmentation Attack. https://community.letsencrypt.org/t/mitigating-dns-fragmentation-attack/74838.Google ScholarGoogle Scholar
  19. Aanchal Malhotra, Isaac E Cohen, Erik Brakke, and Sharon Goldberg. 2016. Attacking the Network Time Protocol.. In NDSS.Google ScholarGoogle Scholar
  20. Sophon Mongkolluksamee, Kensuke Fukuda, and Panita Pongpaibool. 2012. Counting NATted hosts by observing TCP/IP field behaviors. In 2012 IEEE International Conference on Communications (ICC). IEEE, 1265--1270.Google ScholarGoogle ScholarCross RefCross Ref
  21. Liran Orevi, Amir Herzberg, and Haim Zlatokrilov. 2018. DNS-DNS: DNS-based de-nat scheme. In International Conference on Cryptology and Network Security. Springer, 69--88.Google ScholarGoogle ScholarCross RefCross Ref
  22. Jon Postel. 1981. Internet Control Message Protocol darpa internet program protocol specification. RFC 792 (1981). Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Jon Postel. 1981. Internet protocol---DARPA internet program protocol specification, rfc 791. (1981).Google ScholarGoogle Scholar
  24. Haya Shulman and Michael Waidner. 2014. Fragmentation considered leaking: port inference for dns poisoning. In International Conference on Applied Cryptography and Network Security. Springer, 531--548.Google ScholarGoogle ScholarCross RefCross Ref
  25. Haya Shulman and Michael Waidner. 2015. Towards security of internet naming infrastructure. In European Symposium on Research in Computer Security. Springer, 3--22. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Haya Shulman and Michael Waidner. 2017. One key to sign them all considered vulnerable: Evaluation of {DNSSEC} in the internet. In 14th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 17). 131--144. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, and Nikita Somaiya. 2015. Connection-oriented DNS to improve privacy and security. In 2015 IEEE symposium on security and privacy. IEEE, 171--186. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. DNS-over-TCP considered vulnerable

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in
    • Published in

      ACM Conferences cover image
      ANRW '21: Proceedings of the Applied Networking Research Workshop
      July 2021
      98 pages
      ISBN:9781450386180
      DOI:10.1145/3472305

      Copyright © 2021 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Online: 24 July 2021
      • Published: 24 July 2021

      Permissions

      Request permissions about this article.

      Request Permissions

      Qualifiers

      • short-paper

      Acceptance Rates

      ANRW '21 Paper Acceptance Rate 16 of 28 submissions, 57%
      Overall Acceptance Rate 16 of 28 submissions, 57%

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!