I’m reading “Introduction to Computer Security”, Pearson New International Edition, 1st edition, by Goodrich and Tamassia.
On the subject of DNS cache poisoning, they mention that a “new” attack was discovered in 2008, so-called “subdomain DNS cache poisoning”. This is how that attack is supposed to play out:
- An attacker makes many requests to a name server for non-existing subdomains, say
- The book mentions that these subdomains don’t exist, and that, therefore, the target authoritative name server just ignores the requests.
- Simultaneously, the attacker issues spoofed responses to the requests made by the name server under attack, each with a guessed transaction ID (which is randomly chosen and unknown to the attacker).
- Because the target authoritative name server ignores requests for non-existing domains, the attacker has opportunity to issue a lot of spoofed responses, making it likely that she will guess the correct transaction ID.
The book was written in 2011, so something might have changed in the meantime. When I
dig for a non-existing subdomain, e.g.
aaaa.example.com, I get a
$ dig @a.iana-servers.net. aaaa.example.com. +norecurse ; <<>> DiG 9.16.16 <<>> @a.iana-servers.net. aaaa.example.com. +norecurse ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20391 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 # ... snip ...
I would assume that any non-authoritative name server would put this result in its negative cache (as it should according to RFC 2308, written in March 1998).
Was it previously common practice for name servers to ignore (= not send a reply to) requests for non-existing subdomains? Has that been replaced with the
NXDOMAIN reply that I see today? Is conducting the attack as described above still possible?