Intercept and Inject: DNS Response Manipulation in the Wild

Autor: Nosyk, Yevheniya, Lone, Qasim, Zhauniarovich, Y., Hernandez Ganan, C., Aben, Emile, Moura, Giovane C. M., Tajalizadehkhoob, Samaneh, Duda, Andrzej, Korczyński, Maciej, Brunstrom, Anna, Flores, Marcel, Fiore, Marco
Rok vydání: 2023
Předmět:
Zdroj: Passive and Active Measurement ISBN: 9783031284854
Passive and Active Measurement-24th International Conference, PAM 2023, Proceedings
DOI: 10.1007/978-3-031-28486-1_19
Popis: DNS is a protocol responsible for translating human-readable domain names into IP addresses. Despite being essential for many Internet services to work properly, it is inherently vulnerable to manipulation. In November 2021, users from Mexico received bogus DNS responses when resolving whatsapp.net. It appeared that a BGP route leak diverged DNS queries to the local instance of the k-root located in China. Those queries, in turn, encountered middleboxes that injected fake DNS responses. In this paper, we analyze that event from the RIPE Atlas point of view and observe that its impact was more significant than initially thought—the Chinese root server instance was reachable from at least 15 countries several months before being reported. We then launch a nine-month longitudinal measurement campaign using RIPE Atlas probes and locate 11 probes outside China reaching the same instance, although this time over IPv6. More broadly, motivated by the November 2021 event, we study the extent of DNS response injection when contacting root servers. While only less than 1% of queries are impacted, they originate from 7% of RIPE Atlas probes in 66 countries. We conclude by discussing several countermeasures that limit the probability of DNS manipulation.
Databáze: OpenAIRE