DNS poisoning attacks inject malicious entries into the DNS resolution system, allowing an attacker to redirect clients to malicious servers. These attacks typically target a DNS resolver allowing attackers to poison a DNS entry for all machines that use the compromised resolver. However, recent defenses can effectively protect resolvers rendering classical DNS poisoning attacks ineffective. In this paper, we present a new class of DNS poisoning attacks targeting the client-side DNS cache. The attack initiates DNS poisoning on the client cache, which is used in all main stream operating systems to improve DNS performance, circumventing defenses targeting resolvers. Our attack allows an off-path attacker to collaborate with a piece of an unprivileged malware to poison the OS-wide DNS cache on a client machine. We developed the attack on Windows, Mac OS, and Ubuntu Linux. Interestingly, the behaviors of the three operating systems are distinct and the vulnerabilities require different strategies to exploit. We also generalize the attack to work even when the client is behind a Network Address Translation (NAT) router. Our results show that we can reliably inject malicious DNS mappings, with on average, an order of tens of seconds. Finally, we propose a defense against this type of poisoning attacks.
|Original language||English (US)|
|Title of host publication||INFOCOM 2019 - IEEE Conference on Computer Communications|
|Publisher||Institute of Electrical and Electronics Engineers Inc.|
|Number of pages||9|
|State||Published - Apr 2019|
|Event||2019 IEEE Conference on Computer Communications, INFOCOM 2019 - Paris, France|
Duration: Apr 29 2019 → May 2 2019
|Name||Proceedings - IEEE INFOCOM|
|Conference||2019 IEEE Conference on Computer Communications, INFOCOM 2019|
|Period||4/29/19 → 5/2/19|
Bibliographical noteFunding Information:
Fatemah Alharbi is supported by Taibah University (TU) and the Saudi Arabian Cultural Mission (SACM). The work is partially supported by the National Science Foundation under grants No. CNS-1619391, CNS-1652954, and CNS-1618898.
VIII. CONCLUSION To conclude, we are the first to practically report, evaluate, and measure the client-side OS-wide DNS cache poisoning attack against Windows, Mac OS, and Linux operating systems. By understanding the specific OS implementations, we tailor the attacks against them individually and show that the attack can generally succeed in tens of seconds under realistic conditions. We hope that the lessons learned can help improve the future design and implementation of DNS and even other OS-wide caching systems. Acknowledgments: Fatemah Alharbi is supported by Taibah University (TU) and the Saudi Arabian Cultural Mission (SACM). The work is partially supported by the National Science Foundation under grants No. CNS-1619391, CNS-1652954, and CNS-1618898.