Linux has a serious security problem that once again enables DNS cache poisoning

gjacobse

Bizarre behavior overlooked in Linux for more than a decade revives scary attack scenario.
DAN GOODIN - 11/17/2021, 8:36 AM

As much as 38 percent of the Internet’s domain name lookup servers are vulnerable to a new attack that allows hackers to send victims to maliciously spoofed addresses masquerading as legitimate domains, like bankofamerica.com or gmail.com.

The exploit, unveiled in research presented today, revives the DNS cache-poisoning attack that researcher Dan Kaminsky disclosed in 2008. He showed that, by masquerading as an authoritative DNS server and using it to flood a DNS resolver with fake lookup results for a trusted domain, an attacker could poison the resolver cache with the spoofed IP address. From then on, anyone relying on the same resolver would be diverted to the same imposter site.

scottalanmiller

@gjacobse the article is a little misleading. Linux doesn't provide DNS services. So Linux can't be the issue. Any given Linux distro might have one or more default DNS server options, so Ubuntu or RHEL might have this issue, but Linux itself cannot.

In the article, you have to dig before they mention BIND, a DNS server, as being a problem with this issue. BIND is certainly the de facto standard on Linux and represents a problem for the community and ecosystem, but the article presents it in very much a click bait sort of way.

And then it appears to describe the issue as a protocol issue, not an implementation issue and seems to feel that the issue is just that the protocol used for DNS was insecure.