PowerDNS Recursor and the SAD DNS attack
Short version: the PowerDNS Recursor already implements mitigations to the SAD DNS attack. However, our users will likely be vulnerable to the most complex variant of the attack, which exploits kernel behaviour. Unfortunately that is outside our control.
Last week, a group of researchers published a new vulnerability in DNS resolvers, that they call ‘a revival of the classic DNS cache poisoning attack’. In short, they have found tricks to get around some of the mitigations that resolver software has put in place to prevent spoofing, especially after the ‘Kaminsky Attack’ in 2008. There is an excellent explanation of the attack on the Cloudflare blog. We strongly suggest reading it to understand the full scope and impact of the attack.
PowerDNS Recursor already implements mitigations against the attack described in the paper, including port and ID randomisation, the use of connected sockets, and a ‘spoof attempt detection’ that we call a ‘near miss counter’ (see the last paragraph behind this link). This means that the only remaining avenue for an attacker is the ‘ICMP rate limit side channel’, which is a kernel problem. For Linux, a kernel patch (also linked on the SAD DNS web page) is available. We suggest asking your OS vendor for a timeline for delivering a patched kernel to you. Until then, blocking outgoing ICMP Port Unreachable messages has been suggested as a mitigation. Please note that we generally recommend against such blanket filters.
Update 18 November 2021: we are aware of the followup paper published by the researchers at https://www.saddns.net/. The text above remains accurate for PowerDNS users.