[dnsext] A security concern regarding IPv6 support in name servers

Alfred Hönes <ah@TR-Sys.de> Mon, 20 September 2010 12:39 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D3C9F3A6A48; Mon, 20 Sep 2010 05:39:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.895
X-Spam-Level:
X-Spam-Status: No, score=-96.895 tagged_above=-999 required=5 tests=[AWL=-0.005, BAYES_20=-0.74, CHARSET_FARAWAY_HEADER=3.2, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uTVZmXyoGrcn; Mon, 20 Sep 2010 05:39:11 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A8DFA3A68FA; Mon, 20 Sep 2010 05:39:03 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OxfWx-0000eX-ML for namedroppers-data0@psg.com; Mon, 20 Sep 2010 12:31:35 +0000
Received: from gateway.tr-sys.de ([213.178.172.147] helo=TR-Sys.de) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <A.Hoenes@TR-Sys.de>) id 1OxfWu-0000dy-BB for namedroppers@ops.ietf.org; Mon, 20 Sep 2010 12:31:33 +0000
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3.2) id AA193165736; Mon, 20 Sep 2010 14:28:56 +0200
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id OAA23223; Mon, 20 Sep 2010 14:28:55 +0200 (MESZ)
From: Alfred =?hp-roman8?B?SM5uZXM=?= <ah@TR-Sys.de>
Message-Id: <201009201228.OAA23223@TR-Sys.de>
Subject: [dnsext] A security concern regarding IPv6 support in name servers
To: namedroppers@ops.ietf.org
Date: Mon, 20 Sep 2010 14:28:55 +0200 (MESZ)
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset=hp-roman8
Content-Transfer-Encoding: 8bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

I have been pointed to a paper by H. D. Moore published in 2008,
"Exploiting Tomorrow's Internet Today - Penetration Testing with IPv6",
available at <http://uninformed.org/?v=10&a=3&t=pdf>;.

On page 3, this paper points out that Bind running on an IPv6-enabled
system, unless its serving socket is bound to a specific IPv6 (unicast,
interface-assigned) address of the system, also listens to multicast
traffic (the memo apparently confuses the terms "broadcast" and
"multicast") and will also respond to DNS queries received over IPv6
multicast (e.g., to FF01::1).  This could be leveraged for discovering
nodes and for various amplification / DoS attacks.

So there's the question:  Is this considered a feature or a bug?
Is this still current behavior in the latest versions of Bind?
Do other DNS server implementations expose the same behavior?


Note that IP packets MUST NOT be sent with a source address that is
a multicast address (or the limited broadcast address in the case
of IPv4); therefore, a resolver that actually sent such multicast
query would likely recieve a response to such query that uses a
unicast address of the system running the DNS server as its source
address, and such response would be rejected _if_ the resolver
follows Section 9.1 of RFC 5452.  And based on the same rules, such
response would be rejected as well if the resolver did not send the
query (the source addr of the query had been spoofed by an attacker),
and the response hence does not match an outstanding query.

Although the RFC 5452 checks reduce the possible resulting damage,
in the standard DNS protocol (using server port 53), preferably
such responses should not be sent at all in the first place.


Kind regards,
  Alfred Hönes.

-- 

+------------------------+--------------------------------------------+
| TR-Sys Alfred Hoenes   |  Alfred Hoenes   Dipl.-Math., Dipl.-Phys.  |
| Gerlinger Strasse 12   |  Phone: (+49)7156/9635-0, Fax: -18         |
| D-71254  Ditzingen     |  E-Mail:  ah@TR-Sys.de                     |
+------------------------+--------------------------------------------+