PowerDNS Recursor and the SAD DNS attack

Nov 17, 2020

Short version: the PowerDNS Recursor already implements mitigations to the SAD DNS attack. However, our users will likely be vulnerable to the most complex variant of the attack, which exploits kernel behaviour. Unfortunately that is outside our control.

Long version:

Last week, a group of researchers published a new vulnerability in DNS resolvers, that they call ‘a revival of the classic DNS cache poisoning attack’. In short, they have found tricks to get around some of the mitigations that resolver software has put in place to prevent spoofing, especially after the ‘Kaminsky Attack’ in 2008. There is an excellent explanation of the attack on the Cloudflare blog. We strongly suggest reading it to understand the full scope and impact of the attack.

PowerDNS Recursor already implements mitigations against the attack described in the paper, including port and ID randomisation, the use of connected sockets, and a ‘spoof attempt detection’ that we call a ‘near miss counter’ (see the last paragraph behind this link). This means that the only remaining avenue for an attacker is the ‘ICMP rate limit side channel’, which is a kernel problem. For Linux, a kernel patch (also linked on the SAD DNS web page) is available. We suggest asking your OS vendor for a timeline for delivering a patched kernel to you. Until then, blocking outgoing ICMP Port Unreachable messages has been suggested as a mitigation. Please note that we generally recommend against such blanket filters.

Update 18 November 2021: we are aware of the followup paper published by the researchers at https://www.saddns.net/. The text above remains accurate for PowerDNS users.

About the author

Peter van Dijk

Peter van Dijk

Senior Developer at PowerDNS


Related Articles

PowerDNS Recursor: Extended DNS Errors Help You Troubleshooting

This is the seventh episode of a series of blog posts we are publishing, mostly around recent developments with respect to...

Otto Moerbeek Mar 12, 2024

PowerDNS Recursor 4.8.7, 4.9.4 and 5.0.3 Released

Today we have released PowerDNS Recursor 4.8.7, 4.9.4 and 5.0.3. These releases are maintenance releases that fix a few...

Otto Moerbeek Mar 7, 2024

PowerDNS Recursor Security Advisory 2024-01

Today we have released PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2. These releases fix PowerDNS Security Advisory 2024-01:...

Otto Moerbeek Feb 13, 2024

PowerDNS Recursor 5.0.1 Released

We are proud to announce the release of PowerDNS Recursor 5.0.1! This is the first public release of the 5.0 branch....

Otto Moerbeek Jan 10, 2024