KeyTrap Highlights Need for Enduring DNS Defenses for Service Providers
Introduction
In February 2024, the newly disclosed “KeyTrap” vulnerability received a lot of attention because of its potential impact on worldwide DNS resolution infrastructure. Thanks to the responsible security researchers at the German National Research Center for Applied Cybersecurity ATHENE, part of the Fraunhofer Institute, and a responsive DNS community, patches were developed and awareness was spread of the urgent need to deploy those patches on all DNS resolvers doing DNS Security Extensions (DNSSEC) validation.
Akamai teams patched affected services we operate and provided our ISP and mobile network operator (MNO) customers with proactive guidance to protect validating DNS infrastructure (DNSi) CacheServe resolvers they operate, which serve approximately one billion subscribers.
KeyTrap is a useful reminder of the long history of threats to DNS infrastructure. In this blog post, we’ll discuss two major ways DNS resolvers are exposed — and their potential impact on provider networks. We’ll also offer perspectives on resolver software architecture and design practices that can enable enduring resilience, which can yield benefits in the form of network stability and operational simplicity.
DNS resolvers are exposed
The DNS has been an attractive target for attacks since its invention more than 30 years ago. Attackers maximize return on investment by targeting a critical control system. Since most of the DNS is (by design and necessity) exposed to the internet and billions of internet users, even unsophisticated exploits can have significant impact. Attackers will continue to look for holes and will exploit those holes if they find them before responsible parties.
There are two primary areas of exposure:
- denial of service
- cache poisoning
Denial of service attacks
The KeyTrap vulnerability is a recent example of a DNS denial-of-service (DoS) attack, in this case by taking advantage of flaws in the DNSSEC specifications. Researchers uncovered a number of ways to create malicious resource records that force resolvers to perform excessive computation when validating responses from authoritative servers signed by using DNSSEC.
Attackers can register and activate domain names with specially crafted resource records, deploy bots to query them, and cause massive havoc. The resolution of a single query using these techniques can lead to hundreds of thousands of processor-intensive cryptographic validations. Depending on the design of the resolver, it can become inoperable and no longer able to service any valid DNS queries.
For ISPs and MNOs, DNS resolver slowdowns or outages damage subscriber experience and satisfaction because they appear to users as network slowdowns or outages.
Other examples of DoS attacks using the DNS include pseudo-random subdomain (PRSD) attacks; DNS reflection, amplification, and DNS water torture; and Non eXistent Name Server Attack (NXNSAttack).
Cache poisoning attacks
Cache poisoning attacks allow attackers to insert fake entries into resolver caches so they can direct internet users to resources they control. The famous flaw in the DNS protocol that allowed attackers to easily perform cache poisoning attacks, disclosed by Dan Kaminsky in 2008, was simple to exploit and effective against most resolver implementations. Numerous others that were disclosed over the years, like the MaginotDNS attack in 2023, could also be deployed without sophisticated code or infrastructure.
This is a serious problem for service providers because it may compromise subscriber security if they unknowingly navigate to malicious destinations that are carefully disguised to mimic legitimate ones. Deploying and enforcing DNSSEC validation is an effective countermeasure to these types of attacks.
Enduring DNS defenses
It’s worth understanding the different ways that resolvers can be optimized to eliminate or minimize exposure. For instance, when the researchers who discovered KeyTrap tested an unpatched Akamai CacheServe resolver, they found that it continued to answer queries from cache even under the extreme loads created by their exploit. CacheServe resolvers were more resilient than other resolvers they tested.
CacheServe benefits from architectural principles formulated more than 20 years ago, which were based on a deep understanding of the DNS protocol, the essential role resolvers play in provider networks, and the many ways they’re exposed to malicious activity.
Enduring DoS defenses
Answering DNS queries from users can be a multistep process. CacheServe carefully separates each of these steps, and each step has a processing limit. This means user queries can be answered from a dedicated cache even if other parts of the system are heavily loaded by massive bursts of legitimate traffic or an exploit.
Carefully designed algorithms ensure that the different functions used to resolve queries can operate without blocking one another (often called “lock free”). This maximizes performance and scaling on multicore hardware. Protocol and deployment insights streamline the code path used to respond to user queries. Other features, like optimized resolution of duplicate queries for the same domain, minimize overhead in the server.
DNS resolvers get answers to user queries from authoritative servers overseen by domain owners. Smart CacheServe features navigate away from authoritative servers that are overloaded or hard to reach, and can rate limit the use of resources when malicious domains are encountered. In addition, CacheServe makes use of a high-performance DNS policy engine for precise blocking of known malicious traffic.
Architectural principles and good design decisions deliver long-term benefits. CacheServe was resistant to the NXNS attack, and has built-in protections against DNS amplification and PRSD attacks. It’s also important to note new code to make CacheServe even more resilient against the KeyTrap vulnerability did not require any architectural changes.
Checks were added to manage cryptographic processing work for validating DNSSEC signatures so answers for legitimate domains can be obtained, but processing for maliciously signed DNSSEC domains (that won’t return answers anyway) is restricted to avoid overwhelming the resolver. Simpler code changes reduce the risk of unintended consequences that can cause network and/or operational stress.
Enduring cache poisoning defenses
Resolvers can be optimized in other ways to deter cache poisoning attacks. The original CacheServe design included cache poisoning protections based on thoughtful analysis of potential attack vectors. Defense layers based on statistical methods and protocol tricks work together to introduce a long succession of barriers an attacker must subvert to introduce fake entries into a cache.
Additional defenses protect against other attack vectors. Separate cache structures are maintained for DNS records served to clients and delegation information about nameservers to prevent certain kinds of attacks that rely on use of glue records to insert malicious cache entries.
Validation of the value of these defenses can be found in Dan Kaminsky’s acknowledgment that CacheServe showed resistance to his attack. It was also completely unaffected by the MaginotDNS attack and other cache poisoning exploits that have been discovered since the DNS was invented.
Akamai CacheServe delivers enduring defenses
For any organization, DNS resolver problems are serious — with collateral damage up and down technology stacks. For ISPs and MNOs, DNS resolver problems can be catastrophic — causing network outages or serious security exposure for subscribers.
Akamai DNSi CacheServe resolvers were designed and built exclusively for ISPs and MNOs, and are supported by a dedicated team immersed in their requirements. They’re installed at more than 130 fixed and mobile service providers that deliver internet access for approximately one billion subscribers in more than 60 countries on every continent.
Helping providers avoid slowdowns and outages
With CacheServe, Akamai has a proven track record. Enduring DNS defenses that have resisted attacks for more than 20 years have helped providers across the internet avoid outages and security exposure without patches. Smart design and robust implementation mean CacheServe minimizes network disruption and potential service-related problems, and helps reduce staff and management costs. It’s also the foundation for Secure Internet Access services for ISPs and MNOs.
Learn more
Akamai field teams are prepared to demonstrate how DNSi solutions deliver value for ISPs and MNOs everywhere. To learn more, visit the DNS Infrastructure product page.
