Specialized Auditing Matters - Protecting against DNS Cache Corruption

DNS servers can operate in one of two ways when responding to queries:

1. Recursive queries are used when a client makes a request to a DNS server and the name server is expected to traverse the DNS hierarchy to locate the answer. At that time, the name server will make a nonrecursive query to locate the requested information.

2. Nonrecursive queries are used when a name server asks another name server for information. The queried server will return an answer or make a referral to another name server or the name server will indicate an error that the queried name server has no information to fulfill the request. As a default configuration, most name servers allow recursive inquiries from any source. DNS servers that provide recursive resolution services to the Internet may be susceptible to cache corruption. Cache corruption happens when name server caches erroneous data for a domain name. This results in denial of service or man-in-the-middle attacks.

By making a recursive query to a DNS server that provides recursion, an attacker can cause the name server to look up and cache information contained in zones under their control. In this fashion, the victim-name server is forced to query their malicious name servers resulting in the victim caching and retrieving bogus data. There are essentially four steps available to BIND and other types of DNS servers:

  • Disable recursion entirely

  • Restrict IP addresses that are allowed to make any type of queries

  • Restrict IP addresses that are allowed to make recursive queries

  • In BIND versions before version 9 disable fetching of glue records
  • Popular Posts