6

The way DNS works, resolvers cache query results per TTL defined in the response. Consider an authoritative DNS server that is compromised, its main A record set to a different IP and TTL of that record set to something very high (like a month).

Is there any mechanism/process which would invalidate the cache of all those resolvers that cached the malicious record before the TTL expiry? Because without one, the website could be down for a month for some users regardless of how quickly the DNS record is reverted by the admins.

Also note that the attacker could access the target website from various locations around the world right after the attack in order to poison the cache of their respective resolvers.

Mansour
  • 181
  • 3

1 Answers1

2

No, AFAIK. If your authoritative DNS server has been compromised, even DNSSEC won't help you. This attack vector can be mitigated by securing your authoritative DNS servers to prevent the compromise in the first place.

Matrix
  • 4,068
  • 16
  • 26
  • It doesn't have to be the authoritative DNS server that's compromised. Take for instance the recent news about a TLD (I can't remember which, maybe one in Africa) which was compromised. Anyway, I can't remember one instance of the attack I mentioned which makes me wonder if there is a countermeasure. – Mansour Oct 02 '13 at 11:08
  • 1
    AFAIK, there is no defence. However, even if malicious TTL is set to several weeks, it's highly unlikely that malicious DNS records will stay cached for that long in public DNS resolvers, like those provided by ISP, which majority of Internet users use. This is because the DNS cache uses system memory, a limited resource to cache the records. Because public DNSs are constantly under heavy load, the lifetime of records in those DNS servers is short. I don't have any concrete numbers, you have to check it yourself, but it will vary greatly from server to server, but it will be less than weeks. – Matrix Oct 02 '13 at 12:05