New Side Channel Attacks Re-Enable Serious DNS Cache Poisoning Attacks

[silversurfer]

Content source

https://thehackernews.com/2021/11/new-side-channel-attacks-re-enable.html

Researchers have demonstrated yet another variant of the SAD DNS cache poisoning attack that leaves about 38% of the domain name resolvers vulnerable, enabling attackers to redirect traffic originally destined to legitimate websites to a server under their control.

"The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache," University of California researchers Keyu Man, Xin'an Zhou, and Zhiyun Qian said. "SAD DNS attack allows an attacker to redirect any traffic (originally destined to a specific domain) to his own server and then become a man-in-the-middle (MITM) attacker, allowing eavesdropping and tampering of the communication."

The latest flaw affects Linux kernels as well as popular DNS software, including BIND, Unbound, and dnsmasq running on top of Linux, but not when run on other operating systems FreeBSD or Windows.

New Side Channel Attacks Re-Enable Serious DNS Cache Poisoning Attacks

In another variation of the SAD DNS cache poisoning attack, researchers reveal previously overlooked "even stronger" side channels.

thehackernews.com

 

[The_King]

One of the reasons I use DOH has well has DNSSEC.

https://www.cloudflare.com/en-in/learning/dns/dns-cache-poisoning/

Spoiler: DNSSEC

Cloudflare Browser Check

Secure DNS Transport using DoH (DNS over HTTPS) or DoT (DNS over TLS) and SNI with ECH

www.cloudflare.com