Hold-On

Question 1

an attacker who can observe and inject traffic

inserts fake replies to queries

Answer 1

DNS poisoning based on packet injection

Question 2

Attackers against DNS fall into three categories:

Answer 2

off-path,
on-path, and
in-path.

Question 3

lacks the ability to observe DNS queries and responses. Such an attacker will generally employ some means to trigger specific DNS lookups, but must guess the transaction ID and any other entropy (such as the source port and 0x20 encoding) in the request to forge a reply that the resolver will accept.

Answer 3

An off-path adversary

Question 4

generally generate numerous packets in hopes of matching the request. Additionally, because resolvers do not issue new queries for a name that is already cached, off-path adversaries have difficulty targeting stub resolvers, since stubs, unlike recursive resolvers, do not generally accept and promote glue entries

Answer 4

Off-path adversaries

Question 5

has the ability to passively observe

the actual lookups requested by a resolver

Answer 5

An on-path adversary

Question 6

can directly forge DNS replies that match the full set of criteria used by the resolver to validate answers (other than use of DNSSEC). As long as a forged reply arrives at the resolver before the legitimate one, the resolver will accept the injected answer and become poisoned.

Answer 6

An on-path adversary

Question 7

Absent a denial-of-service attack on legitimate servers, both off-path and on-path adversaries lack the ability to suppress legitimate responses. Thus, both of these adversaries necessarily create an observable artifact: the victim, if it waits sufficiently long, will receive both the attacker’s packet and the legitimate reply.

Answer 7

True facts

Question 8

Only this is capable of blocking and modifying packets, can prevent the legitimate reply from reaching the victim.

Answer 8

an in-path adversary

Question 9

Although in-path approaches have more power, on-path approaches have several advantages, making their use appealing for attackers

Answer 9

Censorship tools commonly use on-path rather
than in-path techniques to ease deployment and to make the system failure and load tolerant, as the censorship system can then operate on a traffic mirror rather than the live traffic.

Question 10

works without modifying drivers, but suppressing legitimate replies requires hardware-specific access to the low-level air interface to detect and squelch a broadcast in flight

Answer 10

on-path WiFi packet injection

Question 11

adds cryptographic authentication to prevent the

acceptance of invalid DNS replies

Answer 11

DNSSEC

Question 12

does not suffice as a replacement for a mechanism such as Hold-On: resolvers need to maintain an open port for a period of time in order to attempt to validate all responses received for a query, not just the first.

Answer 12

DNSSEC

Question 13

Hold-On can provide a robust defense against on-path injection only when combined with

Answer 13

DNSSEC

Question 14

operates as a stub resolver to a known-uncensored remote recursive resolver, which enables accurate initial measurement of RTT and TTL to enable subsequent detection of unexpected replies

Answer 14

The current Hold-On implementation

Question 15

Without DNSSEC, “Hold On” relies on attack packets exhibiting significant differences in “These 2 things” in order to distinguish them from legitimate replies.

Answer 15

IP TTL or RTT

Question 16

If the attacker carefully crafts the attack packets’ TTLs, and only injects them just before the likely arrival of the legitimate reply (see Figure 7), our Hold-On technique without DNSSEC will fail to distinguish between the legitimate reply and the attack packet.7

Answer 16

True.

However, the resolver can still detect that an attack
has likely occurred (due to the differing responses). If the resolver cannot correctly determine the legitimate response, it should conservatively not return any answer—though doing so still enables attackers to impose denial-of-service

Question 17

does not suffice to protect against on-path adversaries
operating in environments that users only occasionally visit, such as public WiFi hotspots; we lack knowledge of “non-sensitive” domains to look up in order to obtain estimates of RTT and TTL in the presence of non-injection

Answer 17

Hold On

Question 18

a recursive resolver should also continue to listen

for replies even after it processes and forwards an answer

Answer 18

in order to detect attacks

If the resolver detects an attack,
it could revert to a more paranoid mode (performing active measurements of RTTs and TTLs for all new resolvers to detect subsequent attacks)

Question 19

is effective at distinguishing legitimate replies from those injected by a widely deployed network censorship system.

Answer 19

a DNS forwarder that implements Hold-On

Question 20

Packet injection by on-path adversaries poses a particular

threat against DNS

Answer 20

One particular use of such injection comes from those building DNS-based censorship tools. Even DNSSEC-validating implementations may be vulnerable, as
injected packets can cause denial-of-service if the resolver fails to wait for the legitimate reply before returning “Bogus”.

stub resolvers can use its presence to detect when packet injection occurs.

Question 21

In addition, unless censors take additional steps, imperfections
in their packet injection tools can allow resolvers to not
only detect injection attacks, but also to potentially distinguish
between legitimate replies and injected answers based on
artifacts in the

Answer 21

IP header’s TTL field and in the round-trip time

when receiving replies

Question 22

If a reply arrives too early, with an unexpected IP TTL,
or fails to validate (if DNSSEC validation occurs), the stub
waits for the potential arrival of a subsequent legitimate reply
before proceeding.

Answer 22

a Hold-On period

Question 23

For censors who take steps to match the TTL and RTT of their injections with those expected for legitimate replies, “THIS” still allows detection that injection
has occurred; and, for DNSSEC-enabled resolution, prevents the censor from imposing denial-of-service on obtaining the correct reply.

Answer 23

Hold-On