Reading - Hold On: Protecting against On-Path DNS Poisoning Attacks Flashcards
Briefly describe the 3 categories of attackers against DNS.
Off-path adversaries can’t observe DNS queries and responses. They will trigger specific DNS lookups, but must generate numerous packets in hopes of matching the request the resolver will accept as they must guess the transaction ID and other entropy.
On-path adversaries can passively observe the actual lookups requested by a resolver and can directly forge DNS replies. As long as the resolver receives the forged reply before the legitimate one, it will accept the forged reply.
In-path adversaries can both block and modify packets and can block the legitimate packet. Hold-On can’t help here as the legitimate packets can be blocked.
How does the Hold-On algorithm work?
Because the legitimate reply cannot be blocked by on-path adversaries, the “Hold-On” period can be used to wait for the legitimate reply to arrive. The stub resolver/forwarded first learns the expected RTT and TTL associated with legitimate traffic to remote recursive resolver. Then after issuing a DNS query, it starts its Hold-On timer. If a DNSSEC-protected response is expected, local signature validation is done for each reply and returns the first fully validated reply to the client or a DNSSEC error if the Hold-On timer expires before one is validated. If there is no DNSSEC, the resolver compares the timing of the reply to the expected RTT and compares the TTL field in the header to the expected TTL. If a reply is validated it will return this reply to the client, but if there are mismatches, it ignores the response and continues to wait. If the timer expires, it will send the last reply received that was not validated.
