Re: [DNSOP] DNS cache poisoning is back

Mukund Sivaraman <muks@mukund.org> Sat, 14 November 2020 05:39 UTC

Return-Path: <muks@mukund.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 940623A1164 for <dnsop@ietfa.amsl.com>; Fri, 13 Nov 2020 21:39:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mukund.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rGv0DRfJrNtH for <dnsop@ietfa.amsl.com>; Fri, 13 Nov 2020 21:39:28 -0800 (PST)
Received: from mx.mukund.org (mx.mukund.org [IPv6:2a01:4f8:241:150e:1::f7]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA7183A1163 for <dnsop@ietf.org>; Fri, 13 Nov 2020 21:39:28 -0800 (PST)
Date: Sat, 14 Nov 2020 11:09:22 +0530
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mukund.org; s=mail; t=1605332365; bh=GIohYOta0vSNNSVNT7AThEAukAAqs/ymW0Shz3GBhAo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Ds4REW6wClhcqLup3nab8vSvuqZHagi1tDWnYUqg5nwe8b7m4cNNw8+0jzR2ifcI3 SmUlxsDj1GfRbYYIe+H+r01f24aOyAIntteSSRNAakEVlA9aJ3gmyfLTs01dGY7//W eyPbKTQgZK9VXTeWoTdUTORRKeSWuAjlCWpsDlao=
From: Mukund Sivaraman <muks@mukund.org>
To: John Levine <johnl@taugh.com>
Cc: dnsop@ietf.org
Message-ID: <20201114053922.GA573588@jurassic.vpn.mukund.org>
References: <20201114033930.B0B68270E1D1@ary.qy>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga"
Content-Disposition: inline
In-Reply-To: <20201114033930.B0B68270E1D1@ary.qy>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/iR1NZx4GduZ8Bj8h7bOA3oDz2aQ>
Subject: Re: [DNSOP] DNS cache poisoning is back
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Nov 2020 05:39:31 -0000

On Fri, Nov 13, 2020 at 10:39:30PM -0500, John Levine wrote:
> This paper from UC Riverside given at this week's ACM CCS '20
> conference describes a DNS cache poisoning attack that uses weaknesses
> in UDP stacks. They say it works on real public caches including
> Cloudflare, Google, and Quad 9,
> 
> https://www.cs.ucr.edu/~zhiyunq/pub/ccs20_dns_poisoning.pdf

The paper concludes in 8.1 that DNS COOKIE mitigates this problem, which
is also obvious from the problem description. The Kaminsky style attack
is still effective, and COOKIE still mitigates it.

		Mukund