Attacking DNS resolvers from the server-side for fun and profit

In this session, I would like to present practical methods and strategies for penetration testing of DNS servers and for discovering 0day vulnerabilities in them. I will mainly focus on recursive DNS resolvers and server-to-server scenarios for attacking them.

Server-to-server scenarios are an essential part of a comprehensive strategy for testing DNS resolvers, internal ones as well as public ones (e.g., Google DNS, CloudFlare DNS, OpenDNS, Quad9 etc.). They specifically aim to exploit situations where DNS servers communicate with each other e.g., during a normal operation of resolving a domain name.

The essence of these methods involves operating a rogue testing domain, managed by a specialized authoritative DNS server infrastructure that is capable of responding with custom DNS responses, aiming to produce unexpected results and fault states on the receiving side.

I will present the practicality of such approach from end-to-end, explain what it entails and what exactly is needed. I will then introduce my own custom authoritative DNS server developed for such purposes and demonstrate some of its features during the session.

Various attack venues and strategies against DNS servers will be shown, as well as interesting aspects of the DNS protocol and its limitations in detail. I will also exhibit a few new vulnerabilities that have been found using the presented methods.

This includes a cache poisoning vulnerability found in the CloudFlare and AdGuard public DNS servers, a few different DoS approaches, domain lock up attack variants, which were found effective against some DNS server products.