Intercept and Inject
DNS Response Manipulation in the Wild
Yevheniya Nosyk (Université Grenoble Alpes)
Qasim Lone (RIPE NCC)
Yury Zhauniarovich (TU Delft - Organisation & Governance)
Carlos H. Gañán (TU Delft - Organisation & Governance, ICANN, Los Angeles)
Emile Aben (RIPE NCC)
Giovane C.M. Moura (SIDN, TU Delft - Cyber Security)
Samaneh Tajalizadehkhoob (ICANN, Los Angeles)
Andrzej Duda (Université Grenoble Alpes)
Maciej Korczyński (Université Grenoble Alpes)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
DNS is a protocol responsible for translating human-readable domain names into IP addresses. Despite being essential for many Internet services to work properly, it is inherently vulnerable to manipulation. In November 2021, users from Mexico received bogus DNS responses when resolving whatsapp.net. It appeared that a BGP route leak diverged DNS queries to the local instance of the k-root located in China. Those queries, in turn, encountered middleboxes that injected fake DNS responses. In this paper, we analyze that event from the RIPE Atlas point of view and observe that its impact was more significant than initially thought—the Chinese root server instance was reachable from at least 15 countries several months before being reported. We then launch a nine-month longitudinal measurement campaign using RIPE Atlas probes and locate 11 probes outside China reaching the same instance, although this time over IPv6. More broadly, motivated by the November 2021 event, we study the extent of DNS response injection when contacting root servers. While only less than 1% of queries are impacted, they originate from 7% of RIPE Atlas probes in 66 countries. We conclude by discussing several countermeasures that limit the probability of DNS manipulation.