New Side-Channel Attacks Re-Enable Serious DNS Cache Poisoning Attacks (19th November 2021)

Ref# AL2021_47 | Date: Nov 26th 2021

Researchers by the name of Keyu Man, Xinan Zhou and Zhiyun Qian from the California University have discovered another variant of the Side channel AttackeD DNS (SAD DNS) cache poisoning attack that renders approximately 38% of the domain name resolvers vulnerable, allowing threat actors to reroute traffic intended for reputable websites to a server under their control.


The attack enables an off-path hacker to inject a malicious DNS record into a DNS cache, said researchers from the University of California. A SAD DNS attack allows a hacker to reroute any traffic destined for a specific domain to their server and then becomes a man-in-the-middle (MITM) intruder, allowing eavesdropping and communication tampering.

The most recent vulnerability affects Linux kernels as well as popular DNS software such as BIND, Unbound, and dnsmasq when running on top of Linux, but not when running on other operating systems such as FreeBSD or Windows.

How it works

DNS cache poisoning, also known as DNS spoofing, is a method in which corrupt data is launched into a DNS resolver”s cache, allowing DNS queries for a trusted domain (e.g., to return an incorrect response (i.e., IP address), directing users to malicious websites. The attack was first discovered in 2008 by researcher Dan Kaminsky. It was based on the fact that recursive resolvers typically used a single open port (53) to send and receive messages to authoritative nameservers.

Not only is it now trivial to guess the source port, but a malicious actor can forge a response by flooding the resolver with DNS responses for some or all of the sixty five thousand (6500) or possible transaction IDs that are attached to DNS lookup requests sent to the nameservers.

To accomplish this, an attacker only needed to guess the 16-bit identifier which means there can only be 65,536 transaction ID values which is used to verify the authenticity of the nameserver and prove that the IP address returned is legitimate.

Thus, if the malicious response with the correct transaction ID arrives before the response from the authoritative server, the DNS cache will be poisoned, returning the attacker”s chosen address rather than the legitimate IP address.

The recursive resolver caches information received from authoritative nameservers, signifies that if the resolver receives the request for an IP address of a domain name that was recently requested by another client, it simply returns the requested record from its cache to the client without having to communicate with the nameservers.

Since then, the attacks have been deemed unfeasible by increasing the entropy by using the transaction ID in conjunction with a randomized UDP port as a secondary identifier instead of the default port 53 for lookup queries.

However, newly discovered leaky side channels have allowed the ephemeral port number to be derandomized, effectively undoing the protections.


While there is no patch to address this vulnerability, it is recommended that network administrators establish a defence in depth mechanism to counter this vulnerability by implementing the following:

  • DNS servers should be configured to rely as little as possible on trust relationships with other DNS servers. Configuring it this way will make it much difficult for an attacker to use their DNS server to corrupt a targeted server.

  • Configure DNS server to only run services that are required. Having additional services that are not required to run on a DNS server increases the attack vector.

  • Security staff should also make sure that the most current version of DNS is being used.

  • End users education is also important in preventing these attacks. End-users should receive training on identifying suspicious sites. They should also be consistently educated on identifying phishing emails or phishing via social media accounts.

  • Implement the usage of DNS tools such as Domain Name System Security Extension (DNSSEC) which provides secure DNS data authentication.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: New Side-Channel Attacks Re-Enable Serious DNS Cache Poisoning Attacks.pdf


New side-channel attacks re-enable serious DNS cache poisoning attacks (18th November 2021). Retrieve from thehackernews.

New side-channel attacks re-enable serious DNS cache poisoning attacks (19th November 2021). Retrieve from Jioforme. poisoning-attacks/933911/

New side-channel attacks re-enable serious DNS cache poisoning attacks (19th November 2021). Retrieve from Cyber Intel enable-severe-dns-cache-poisoning-attacks/