Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
158 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

ResolverFuzz: Automated Discovery of DNS Resolver Vulnerabilities with Query-Response Fuzzing (2310.03202v1)

Published 4 Oct 2023 in cs.CR, cs.NI, and cs.SE

Abstract: Domain Name System (DNS) is a critical component of the Internet. DNS resolvers, which act as the cache between DNS clients and DNS nameservers, are the central piece of the DNS infrastructure, essential to the scalability of DNS. However, finding the resolver vulnerabilities is non-trivial, and this problem is not well addressed by the existing tools. To list a few reasons, first, most of the known resolver vulnerabilities are non-crash bugs that cannot be directly detected by the existing oracles (or sanitizers). Second, there lacks rigorous specifications to be used as references to classify a test case as a resolver bug. Third, DNS resolvers are stateful, and stateful fuzzing is still challenging due to the large input space. In this paper, we present a new fuzzing system termed ResolverFuzz to address the aforementioned challenges related to DNS resolvers, with a suite of new techniques being developed. First, ResolverFuzz performs constrained stateful fuzzing by focusing on the short query-response sequence, which has been demonstrated as the most effective way to find resolver bugs, based on our study of the published DNS CVEs. Second, to generate test cases that are more likely to trigger resolver bugs, we combine probabilistic context-free grammar (PCFG) based input generation with byte-level mutation for both queries and responses. Third, we leverage differential testing and clustering to identify non-crash bugs like cache poisoning bugs. We evaluated ResolverFuzz against 6 mainstream DNS software under 4 resolver modes. Overall, we identify 23 vulnerabilities that can result in cache poisoning, resource consumption, and crash attacks. After responsible disclosure, 19 of them have been confirmed or fixed, and 15 CVE numbers have been assigned.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (130)
  1. M. Allman. Comments on dns robustness. In Proceedings of the Internet Measurement Conference 2018, pages 84–90, 2018.
  2. C. Almond. CVE-2022-3736: named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries. https://kb.isc.org/docs/cve-2022-3736, 2022.
  3. Cracking the Wall of Confinement: Understanding and Analyzing Malicious Domain Take-downs. In NDSS ’19.
  4. A. E. Alvarez. DNS Forwarding and Conditional Forwarding. https://medium.com/tech-jobs-academy/dns-forwarding-and-conditional-forwarding-f3118bc93984, 2016.
  5. A. Andronidis and C. Cadar. Snapfuzz: High-throughput fuzzing of network applications. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA), 2022.
  6. RFC 4035: Protocol Modifications for the DNS Security Extensions. RFC Proposed Standard.
  7. Rfc 4033: Dns security introduction and requirements, 2005.
  8. Stateful greybox fuzzing. In 31st USENIX Security Symposium (USENIX Security 22), pages 3255–3272, Boston, MA, Aug. 2022. USENIX Association.
  9. Jit-picking: Differential fuzzing of javascript engines. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022.
  10. BIND. "xferquota" system test fails intermittently. https://gitlab.isc.org/isc-projects/bind9/-/issues/3300.
  11. BIND. How do I change the version that BIND reports when queried for version.bind? https://kb.isc.org/docs/aa-00359, 2021.
  12. BIND. https://www.isc.org/bind/, 2022.
  13. BIND. BIND Document: type forward. https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-type%20forward, 2023.
  14. Domain Validation++ For MitM-Resilient PKI. In CCS ’18.
  15. Deep differential testing of jvm implementations. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pages 1257–1268. IEEE, 2019.
  16. I. S. Consortium. rndc.conf - rndc configuration file. https://bind9.readthedocs.io/en/v9_16_5/manpages.html#rndc-conf-rndc-configuration-file.
  17. CVE Details. CVE-2014-0160. https://www.cvedetails.com/cve/CVE-2014-0160/, 2014.
  18. CVE Details. CVE-2022-2881. https://www.cvedetails.com/cve/CVE-2022-2881/, 2022.
  19. CVE Details. CVE-2022-3924. https://www.cvedetails.com/cve/CVE-2022-3924/, 2022.
  20. CVE Details. BIND: Vulnerability Statistics. https://www.cvedetails.com/product/144/ISC-Bind.html?vendor_id=64, 2023.
  21. CVE Details. Knot Resolver: Vulnerability Statistics. https://www.cvedetails.com/product/63850/NIC-Knot-Resolver.html?vendor_id=20536, 2023.
  22. CVE Details. MaraDNS: Vulnerability Statistics. https://www.cvedetails.com/vendor/1470/Maradns.html, 2023.
  23. CVE Details. PowerDNS: Vulnerability Statistics. https://www.cvedetails.com/vendor/2834/Powerdns.html, 2023.
  24. CVE Details. Technitium: Vulnerability Statistics. https://www.cvedetails.com/vendor/26782/Technitium.html, 2023.
  25. CVE Details. Unbound: Vulnerability Statistics. https://www.cvedetails.com/product/20882/Nlnetlabs-Unbound.html?vendor_id=9613, 2023.
  26. The Hijackers Guide To The Galaxy: Off-Path Taking Over Internet Resources. In USENIX Security ’21.
  27. G. P. DNS. https://developers.google.com/speed/public-dns, 2022.
  28. DNS-OARC. fpdns - DNS Fingerprinting Tool. https://www.dns-oarc.net/tools/fpdns, 2021.
  29. Dnsmasq. https://thekelleys.org.uk/dnsmasq/doc.html, 2022.
  30. DNSViz. A DNS visualization tool. https://dnsviz.net/, 2020.
  31. R. Elz and R. Bush. RFC 2181: Clarifications to the DNS Specification. RFC Proposed Standard.
  32. Analysis of {{\{{DTLS}}\}} implementations using protocol state fuzzing. In 29th USENIX Security Symposium (USENIX Security 20), pages 2523–2540, 2020.
  33. Google. Fuzzing with afl-fuzz. https://afl-1.readthedocs.io/en/latest/fuzzing.html.
  34. Google. oss-fuzz/projects/bind9 at master · google/oss-fuzz. https://github.com/google/oss-fuzz/tree/master/projects/bind9, 2022.
  35. L. Grangeia. Cache snooping or snooping the cache for fun and profit, 2004.
  36. T. T. Group. Tcpdump and Libpcap. https://www.tcpdump.org/.
  37. Dlfuzz: Differential fuzzing testing of deep learning systems. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 739–743, 2018.
  38. guyinatuxedo. https://github.com/guyinatuxedo/dns-fuzzer, 2019.
  39. A. Herzberg and H. Shulman. Fragmentation Considered Poisonous, or: One-domain-to-rule-them-all.org. In CNS ’13.
  40. A. Herzberg and H. Shulman. Vulnerable Delegation of DNS Resolution. In ESORICS ’13.
  41. Specdoctor: Differential fuzz testing to find transient execution vulnerabilities. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1473–1487, 2022.
  42. Difuzzrtl: Differential fuzz testing to find cpu bugs. In 2021 IEEE Symposium on Security and Privacy (SP), pages 1286–1303. IEEE, 2021.
  43. D. Inc. Docker SDK for Python. https://docker-py.readthedocs.io/.
  44. LZR: Identifying Unexpected Internet Services. In Proceedings of the 30th USENIX Security Symposium (USENIX Security ’21), 2021.
  45. {{\{{FRAMESHIFTER}}\}}: Security implications of {{\{{HTTP/2-to-HTTP/1}}\}} conversion anomalies. In 31st USENIX Security Symposium (USENIX Security 22), pages 1061–1075, 2022.
  46. T-reqs: Http request smuggling with differential fuzzing. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1805–1820, 2021.
  47. S. Jana and V. Shmatikov. Abusing file processing in malware detectors for fun and profit. In 2012 IEEE Symposium on Security and Privacy, pages 80–94. IEEE, 2012.
  48. P. Jeitner and H. Shulman. Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS. In USENIX Security ’21.
  49. {{\{{XDRI}}\}} attacks-and-how to enhance resilience of residential routers. In 31st USENIX Security Symposium (USENIX Security 22), pages 4473–4490, 2022.
  50. Basic methods of probabilistic context free grammars. Springer, 1992.
  51. Ghost Domain Names: Revoked Yet Still Resolvable. In NDSS ’12.
  52. Dns performance and the effectiveness of caching. In Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, pages 153–167, 2001.
  53. S. K. R. Kakarla. Formal Methods for a Robust Domain Name System. University of California, Los Angeles, 2022.
  54. Groot: Proactive verification of dns configurations. In Proceedings of the Annual conference of the ACM Special Interest Group on Data Communication on the applications, technologies, architectures, and protocols for computer communication (SIGCOMM), pages 310–328, 2020.
  55. {{\{{SCALE}}\}}: Automatically finding {{\{{RFC}}\}} compliance bugs in {{\{{DNS}}\}} nameservers. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), pages 307–323, 2022.
  56. D. Kaminsky. Black ops 2008: It’s the end of the cache as we know it. Black Hat USA, 2, 2008.
  57. S. M. Kerner. BIND DNS Holds Lead. https://www.serverwatch.com/server-news/bind-dns-holds-lead/, 2020.
  58. M. Kerrisk. ps(1) — Linux manual page. https://man7.org/linux/man-pages/man1/ps.1.html.
  59. A. Klein. Cross Layer Attacks and How to Use Them (for DNS Cache Poisoning, Device Tracking and More). In S&P ’21.
  60. Knot Resolver. Cz-nic/knot-resolver/lib/selection_iter.c. https://github.com/CZ-NIC/knot-resolver/blob/v5.6.0/lib/selection_iter.c#L281.
  61. J. Knudsen. CyRC Case Study: Securing BIND 9. https://www.synopsys.com/blogs/software-security/cyrc-case-study-securing-bind-9/, 2022.
  62. M. Kępień. Merge branch ’3622-serve-stale-rrsig-fix-security’ into ’security-main’. https://gitlab.isc.org/isc-projects/bind9/-/commit/80ed02f935fbc2adcb8ba8632b0365375232b6cd, 2022.
  63. S. N. Labs. Unbound - unbound-control.8. https://nlnetlabs.nl/documentation/unbound/unbound-control/.
  64. RFC 8767: Serving Stale Data to Improve DNS Resiliency. RFC Proposed Standard, 2020.
  65. A Longitudinal and Comprehensive Study of the DANE Ecosystem in Email. In USENIX Security ’20.
  66. Sediff: scope-aware differential fuzzing to test internal function models in symbolic execution. In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 57–69, 2022.
  67. Ghost Domain Reloaded: Vulnerable Links in Domain Name Delegation and Revocation. In NDSS ’23.
  68. Fast IPv6 Network Periphery Discovery and Security Implications. In DSN ’21.
  69. The Maginot Line: Attacking the Boundary of DNS Caching Protection. In Proceedings of the 32nd USENIX Security Symposium (USENIX Security ’23), 2023.
  70. TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets. In Proceedings of 2024 IEEE Symposium on Security and Privacy, Oakland S&P ’24, 2024.
  71. C. Ltd. ubuntu - official image | docker hub. https://hub.docker.com/_/ubuntu.
  72. DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels. In CCS ’20.
  73. DNS Cache Poisoning Attack: Resurrections with Side Channels. In CCS ’21.
  74. Assessing Support for DNS-over-TCP in the Wild. In Proceedings of the 23rd International Conference on Passive and Active Measurement (PAM ’22), 2022.
  75. MaxMind. GeoLite2 Free Geolocation Data. https://dev.maxmind.com/geoip/geolite2-free-geolocation-data, 2023.
  76. W. M. McKeeman. Differential testing for software. Digital Technical Journal, 10(1):100–107, 1998.
  77. D. Merkel. Docker: lightweight linux containers for consistent development and deployment. Linux journal, 2014(239):2, 2014.
  78. Microsoft. Description of the DNSLint utility. https://support.microsoft.com/en-us/help/321045/description-of-the-dnslint-utility, 2018.
  79. Cross-checking semantic correctness: The case of finding file system bugs. In Proceedings of the 25th Symposium on Operating Systems Principles (SOSP), pages 361–377, 2015.
  80. MITRE. CVE. https://cve.mitre.org/, 2023.
  81. MITRE. CVE Details. https://www.cvedetails.com/, 2023.
  82. MITRE. CVE List. https://www.cve.org/, 2023.
  83. P. V. Mockapetris. RFC 1034: Domain Names - Concepts and Facilities. RFC Standard.
  84. Accurately Measuring Global Risk of Amplification Attacks using AmpMap. In Proceedings of the 30th USENIX Security Symposium (USENIX Security ’21), 2021.
  85. MxToolbox. Check your DNS MX Records online. https://mxtoolbox.com/, 2020.
  86. Improved the performance of the k-means cluster using the sum of squared error (sse) optimized by using the elbow method. In Journal of Physics: Conference Series, volume 1361, page 012015. IOP Publishing, 2019.
  87. Cache Me Outside: A New Look at DNS Cache Probing. In Proceedings of the 22nd International Conference on Passive and Active Measurement (PAM ’21), 2021.
  88. Diffuzz: differential fuzzing for side-channel analysis. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pages 176–187. IEEE, 2019.
  89. Hydiff: Hybrid differential software analysis. In 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE), pages 1273–1285. IEEE, 2020.
  90. Distributed DNS troubleshooting. In Proceedings of the ACM SIGCOMM workshop on Network troubleshooting: research, theory and operations practice meet malfunctioning reality, pages 265–270, 2004.
  91. C. Partridge and M. Allman. Ethical considerations in network measurement papers. Communications of the ACM, 59(10):58–64, 2016.
  92. Global Measurement of DNS Manipulation. In Proceedings of the 26th USENIX Security Symposium (USENIX Security ’17), 2017.
  93. Scikit-learn: Machine learning in Python. Journal of Machine Learning Research, 12:2825–2830, 2011.
  94. Gleefuzz: Fuzzing webgl through error message guided mutation. USENIX Security’23, 2023.
  95. Nezha: Efficient domain-independent differential testing. In 2017 IEEE Symposium on security and privacy (SP), pages 615–632. IEEE, 2017.
  96. Aflnet: a greybox fuzzer for network protocols. In 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST), pages 460–465. IEEE, 2020.
  97. PowerDNS.COM. rec_control. https://docs.powerdns.com/recursor/manpages/rec_control.1.html.
  98. G. S. Reen and C. Rossow. Dpifuzz: a differential fuzzing framework to detect dpi elusion strategies for quic. In Annual Computer Security Applications Conference, pages 332–344, 2020.
  99. ResolverFuzz. https://github.com/ResolverFuzz/ResolverFuzz, 2023.
  100. A. Romao. Tools for dns debugging. Technical report, RFC 1713, FCCN, November, 1994.
  101. SaBRe. The binary rewriting plugin sabre used by snapfuzz. https://github.com/andronat/SaBRe/blob/4a41a5adaec89235e00adc5d339be308f5c8d57c/plugins/sbr-afl/main.c, 2022.
  102. Assessing DNS Vulnerability to Record Injection. In PAM ’14.
  103. On measuring the client-side DNS infrastructure. In IMC ’13.
  104. C. Schuba and E. H. Spafford. Addressing Weaknesses in the Domain Name System Protocol. Master’s thesis.
  105. Addresssanitizer: a fast address sanity checker. In Proceedings of the 2012 USENIX conference on Annual Technical Conference, pages 28–28, 2012.
  106. sharadarao1999. Bisecting K-Means Algorithm Introduction. https://www.geeksforgeeks.org/bisecting-k-means-algorithm-introduction/.
  107. Hdiff: A semi-automatic framework for discovering semantic gap attack in http implementations. In 2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 1–13. IEEE, 2022.
  108. A. Singram and K. Umashankar. Implementing dual stack recursive DNS at Microsoft: Challenges and Learning. https://indico.dns-oarc.net/event/42/contributions/904/, 2022.
  109. sischkg. https://github.com/sischkg/dns-fuzz-server, 2019.
  110. Hvlearn: Automated black-box analysis of hostname verification in ssl/tls implementations. In 2017 IEEE Symposium on Security and Privacy (SP), pages 521–538. IEEE, 2017.
  111. J. Somorovsky. Systematic fuzzing and testing of tls libraries. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 1492–1504, 2016.
  112. S. Son and V. Shmatikov. The Hitchhiker’s Guide to DNS Cache Poisoning. In SecureComm ’10.
  113. R2z2: Detecting rendering regressions in web browsers through differential fuzz testing. In Proceedings of the 2022 International Conference on Software Engineering (ICSE 2022), 2022.
  114. J. Stewart. DNS Cache Poisoning – The Next Generation. Secureworks.
  115. Bug characteristics in open source software. Empirical software engineering, 19:1665–1705, 2014.
  116. Technitium.com. Technitium DNS Server API Documentation. https://github.com/TechnitiumSoftware/DnsServer/blob/master/APIDOCS.md.
  117. R. Trader. Windows Server – How to configure a Conditional Forwarder in DNS. https://www.interfacett.com/blogs/windows-server-how-to-configure-a-conditional-forwarder-in-dns/, 2016.
  118. Unbound. https://nlnetlabs.nl/projects/unbound/about/, 2022.
  119. Unbound. Unbound Document: forward-first. https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-forward-forward-first, 2023.
  120. US-CERT. Alert (ta13-088a): Dns amplification attacks. https://www.cisa.gov/uscert/ncas/alerts/TA13-088A, 2019.
  121. Verisign. DNSSEC Analyzer. https://dnssec-analyzer.verisignlabs.com/, 2020.
  122. A. Walz and A. Sikora. Exploiting dissent: towards fuzzing-based differential black-box testing of tls implementations. IEEE Transactions on Dependable and Secure Computing, 17(2):278–291, 2017.
  123. Superion: Grammar-aware greybox fuzzing. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pages 724–735. IEEE, 2019.
  124. Symtcp: Eluding stateful deep packet inspection with automated discrepancy discovery. In Network and Distributed System Security Symposium (NDSS), 2020.
  125. Themis: Ambiguity-aware network intrusion detection based on symbolic model comparison. In Proceedings of the 8th ACM Workshop on Moving Target Defense, pages 31–32, 2021.
  126. TsuKing: Coordinating DNS Resolvers and Queries into Potent DoS Amplifiers. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, CCS ’23, 2023.
  127. Probabilistic grammar fuzzing. https://www.fuzzingbook.org/html/ProbabilisticGrammarFuzzer.html.
  128. Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices. In USENIX Security ’20.
  129. Measuring and disrupting anti-adblockers using differential execution analysis. In The Network and Distributed System Security Symposium (NDSS), 2018.
  130. {{\{{TCP-Fuzz}}\}}: Detecting memory and semantic bugs in {{\{{TCP}}\}} stacks with fuzzing. In 2021 USENIX Annual Technical Conference (USENIX ATC 21), pages 489–502, 2021.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now