Shulou(Shulou.com)06/01 Report--

It is believed that many inexperienced people are at a loss about what DNS protocol security vulnerability notification is like. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

0x00 vulnerability background

On May 28, 2020, 360CERT monitoring found that foreign research teams issued a risk announcement of a denial of service vulnerability caused by logic errors implemented in the DNS protocol, vulnerability level: high risk.

Domain name system (Service) Protocol (DNS) is a distributed network directory service, which is mainly used for the translation between domain names and IP addresses, thus simplifying the Internet connection mode of memorizing IP addresses.

There is a logic error in the implementation of the DNS protocol, and an attacker can cause a recursive server / specific domain name server denial of service by initiating a DNS query request directed to a malicious name-server.

In this regard, 360CERT recommends that the majority of users timely install the latest patches, do a good job of asset self-examination and prevention work, so as to avoid hacker attacks.

0x01 risk rating

360CERT's assessment of the vulnerability is as follows

Assessment methods, threat levels, high risk impact areas, a wide range of 0x02 vulnerability details

The following sections refer to NXNSAttack Paper

The following definitions are made

Describe the upper DNS server server Aattacker.com nameserver server Bvictim.com server server C that was attacked by the user's network for short.

Take the DNS parsing process of sd1.attacker.com as an example

When an attacker triggers domain name resolution to a malicious name-server server.

First, the upper DNS server (server A) in the current network environment will retrieve the name-server service of attacker.com (server B).

The attacker controls the nameserver server (server B) to return a specially designed response packet (the main purpose of the packet is to inform the receiving server to do an NS forwarding query).

The response package contains multiple records.

Daily records indicate that sd1.attacker.com needs to be forwarded to the dns name-server server (server C) of {fake-n} .victim.com for query.

There is no corresponding IP address. (ensure that the query is established)

(server A) after receiving the special response packet, it will make an dns query on the NS records in the response packet one by one.

It causes (server A) to send a large number of request packets / (server C) to receive a large number of request packets, resulting in a denial of service.

According to the research report, NXNSAttack attacks are more efficient than NXDomain, magnifying up to 1620 times the number of packets exchanged by recursive parsers.

0x03 affects version

The components and services that are known to be affected are

module

UNIX bind component

Windows DNS

Service provider

PowerDNS

Google

Microsoft

Amazon

Oracle

Cloudflare

0x04 repair recommendations temporary patching recommendations:

Intercept packets that meet the following conditions in the DNS response packet on the traffic device side

Contains a large number of NS forwarding query requests

Multiple secondary / multi-level subdomain name requests to the same server

Do not respond to DNS query results from untrusted servers

The same as the traditional protection strategy, the traffic blacklist and whitelist is used.

After reading the above, have you mastered the method of DNS protocol security vulnerability notification? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.