Fragmentation Considered Poisonous, or: One-domain-to-rule-them-all.org

We present effective off-path DNS cache poisoning attacks, circumventing widely-deployed challenge-response defenses, e.g., transaction identifier randomisation, port and query randomisation. Our attacks depend on the use of UDP to retrieve long DNS responses, resulting in IP fragmentation. We show how attackers are often able to generate such fragmented responses, and then abuse them to inject spoofed, ´poisonous´ records, into legitimate DNS responses. We also studied how resolvers, name servers, domains and registrars, can defend against our attacks. The best defense is deployment and enforcement of DNSSEC validation. However, DNSSEC must be deployed correctly by both domain and resolver, which is challenging; we hope our results will catalyse this process, but it will surely take long time. In fact, recent study found less than 1 % of resolvers reject responses upon DNSSEC validation failures. Note also that, ironically, adoption of DNSSEC by a domain, is the main reason for fragmented DNS responses (abused in our attacks). We therefore present several short-term countermeasures, which can complement DNSSEC, especially until DNSSEC deployment is complete. We validated our attacks against popular resolvers (Bind and Unbound), and real domains in the Internet.