Current DNS Attack Vectors

1. MITM
· Spoofing data is trivial
· Single UDP packet request/response
· Exists all along chain

2. ID Guessing
· Guess 16 bits nonce and possibly randomly selected port
· Works on recursive resolvers and stubs

3. Birthday Attack
· Subset of ID guessing
· Send multiple requests to the targets recursive resolver targeting the same authoritative server.
· Send your poisoning attacks, which can match any the results from the queries.
· 50% success with 300 packets, conventional poisoning needs 32K packets for 50% success.
· Mitigated by late bind 9 by combining aggregating queries.
· Made much more difficult by query source port randomization in djbdns.

4. Name Chaining
· Cache poisoning attack only, doesn’t affect stub resolvers.
· Must use one of the former methods to insert it.
· Differs from conventional poisoning attacks in that only requested information is returned but with falsified answers.

5. Rogue DNS Servers
· DNS servers usually assigned by DHCP
· Survey of DNS servers that attempt to poison old clients by returning bogus information.

6. DOS attacks
· Attacks against the DNS servers themselves.
· Attacking other system with DNS amplification.
· Both of these attacks are made easier by DNSSEC.

7. Information Removal
· Special case of MITM problem.
· Mitigated by DNS denial of existence.