Post by ATHENE researchers on the APNIC blog: DNS-over-TCP is considered vulnerable
In their latest post on the APNIC blog, ATHENE-researchers discuss recent recommendations to use TCP instead of UDP for sending DNS packets. In order to be able to traverse a network more easily, large packets are often divided into smaller packets by means of so-called IP fragmentation. TCP with Path MTU Discovery (PMTUD) was recently proposed as an alternative to this IP fragmentation. In this context, the recommendation was made to use TCP instead of UDP for sending DNS packets. This is based on the assumption that TCP is resistant to IP fragmentation attacks.
In a recent study, the ATHENE-researchers found that IP fragmentation attacks may very well apply to packets over TCP. Responses from at least 393 additional domains’ nameservers can be exploited for IP fragment misassociation attacks via source fragmentation. Worryingly, the attack surface is potentially even larger; over one thousand intermediate routers in the Internet have a small next-hop MTU, which causes packets that traverse them to get fragmented even when fragmentation is not performed by the source.
The post on APNIC explains the study itself as well as ways to force TCP to fragment
The researchers Prof. Michael Waidner, Dr. Haya Shulman and Tianxiang Dai (all Fraunhofer SIT) presented their work at the ACM/IRTF Applied Networking Research Workshop 2021 (ANRW’21).
APNIC Blog is a tech blog hosted by APNIC, one of the five Regional Internet Registries in the world.show all news