PowerDNS Recursor and the SAD DNS attack

Nov 17, 2020

Short version: the PowerDNS Recursor already implements mitigations to the SAD DNS attack. However, our users will likely be vulnerable to the most complex variant of the attack, which exploits kernel behaviour. Unfortunately that is outside our control.

Long version:

Last week, a group of researchers published a new vulnerability in DNS resolvers, that they call ‘a revival of the classic DNS cache poisoning attack’. In short, they have found tricks to get around some of the mitigations that resolver software has put in place to prevent spoofing, especially after the ‘Kaminsky Attack’ in 2008. There is an excellent explanation of the attack on the Cloudflare blog. We strongly suggest reading it to understand the full scope and impact of the attack.

PowerDNS Recursor already implements mitigations against the attack described in the paper, including port and ID randomisation, the use of connected sockets, and a ‘spoof attempt detection’ that we call a ‘near miss counter’ (see the last paragraph behind this link). This means that the only remaining avenue for an attacker is the ‘ICMP rate limit side channel’, which is a kernel problem. For Linux, a kernel patch (also linked on the SAD DNS web page) is available. We suggest asking your OS vendor for a timeline for delivering a patched kernel to you. Until then, blocking outgoing ICMP Port Unreachable messages has been suggested as a mitigation. Please note that we generally recommend against such blanket filters.

Update 18 November 2021: we are aware of the followup paper published by the researchers at https://www.saddns.net/. The text above remains accurate for PowerDNS users.

About the author

Peter van Dijk

Peter van Dijk

Senior Developer at PowerDNS

Categories

Related Articles

PowerDNS Recursor 4.7.1 Released

We are proud to announce the release of PowerDNS Recursor 4.7.1. This release is a maintenance releases correcting an issue...

Otto Moerbeek 07/6/22

The new face of PowerDNS: GreenDNS

Hello! Today, we of the PowerDNS team are ready to unveil our bold new product strategy: GreenDNS. Admitting the following...

Robert Brandt 04/5/21

PowerDNS Recursor 4.5.6 Released

We are proud to announce the release of PowerDNS Recursor 4.5.6. This release contains fixes to the way RPZ updates are...

Otto Moerbeek 10/2/21

First Beta Release of PowerDNS Recursor 4.3.0

Hello! We are proud to announce the first beta release of what should become PowerDNS Recursor 4.3.0. Compared to the third...

Otto Moerbeek 12/5/19