In response to the spread of cache poisoning attacks, many DNS resolvers have gone from being open to closed resolvers, meaning that they will only perform queries on behalf of hosts within a single organization or Internet Service Provider. As a result, measuring the security of the DNS infrastructure has been made more difficult. Closed resolvers will not respond to researcher queries to determine if they utilize security measures like port randomization or transaction id randomization. However, we can effectively turn a closed resolver into an open one by sending an email to a mail server (MTA) in the organization. This causes the MTA to make a query on the external researchers' behalf, and we can log the security features of the DNS resolver using information gained by a nameserver and email server under our control. The goals of this experiment are
Mail servers cause several DNS queries to be made as anti-spam measures. This experiment measures the DNS queries caused by sending an email
We have found instances where SPF records are checked such a in a way that allows us to craft an infinite chain of DNS lookups. Such an attack could be the injection vector for a Kaminsky DNS cache poisoning attack. We will determine how many systems are vulnerable to such an attack
We send emails to MTAs, encoding information about the MTA in our sending address. We then measure what queries were made to our nameserver, and from what IP addresses. This enables us to determine which DNS resolver makes queries for which MTA, and by looking at repeated queries, we determine whether the resolver has security features like transaction id randomization and port randomization.
There are five phases to this experiment:
Each of these steps must be done quickly to ensure that the public IP addresses of the MTAs and DNS resolvers do not change.
We use publically accessible information to guess the username and domain of an IP address that we collected by port scanning. Using the IP, we do