Timo Longin is a security consultant at SEC Consult at day and a security researcher at night. Aside from everyday security assessments, he publishes blog posts and security tools, holds talks at conferences and universities, and, most importantly, has a passion for CTFs. His main focus is on web applications; however, infrastructure and hardware are not safe from him either. As a well-rounded offensive security researcher, he tries to find forgotten and new attack vectors that make the unthinkable possible!
What does the DNS have in common with an iceberg? Both are hiding invisible dangers! Beneath an iceberg there is... hiding even more ice, however, beneath the DNS there are hiding unexpected vulnerabilities!
If you want to resolve a name via DNS, there are multiple open DNS resolvers all across the Internet. A very commonly used open DNS resolver is Google’s resolver with the IP address 188.8.131.52. However, not every system is using such an open resolver. Hosting providers, ISPs or alike are often using resolvers that are not directly accessible from the Internet. These are the so called “closed” resolvers.
In my previous research “Forgot password? Taking over user accounts Kaminsky style” I have unearthed critical vulnerabilities in DNS resolvers of web applications, but I haven’t shared a second thought about the fact that these web applications were most likely using closed resolvers. So, this time I took a look at the root of the problem!
In this talk, we’ll take a look at how we can indirectly access these closed resolvers from the Internet. Furthermore, I’ll introduce open-source tools and methods to discover vulnerabilities in them. How we can attack these closed resolvers and potentially compromise thousands of systems, will lastly be shown in a proof-of-concept exploit.