Ƙungiyar masu bincike daga Jami'ar Tel Aviv da Cibiyar Harkokin Kasuwanci a Herzliya (Isra'ila) sabuwar hanyar kai hari (), ba ku damar amfani da kowane masu warwarewar DNS azaman masu haɓaka zirga-zirga, yana ba da ƙimar haɓaka har zuwa sau 1621 dangane da adadin fakiti (ga kowane buƙatun da aka aika zuwa mai warwarewa, zaku iya cimma buƙatun 1621 da aka aika zuwa sabar wanda aka azabtar) kuma har sau 163 dangane da zirga-zirga.
Matsalar tana da alaƙa da takamaiman ƙa'idar kuma tana shafar duk sabar DNS waɗanda ke goyan bayan aiwatar da aikace-aikacen maimaitawa, gami da (CVE-2020-8616),, (CVE-2020-12667),, (CVE-2020-10995),, и (CVE-2020-12662), da sabis na DNS na jama'a na Google, Cloudflare, Amazon, Quad9, ICANN da sauran kamfanoni. An daidaita gyaran tare da masu haɓaka uwar garken DNS, waɗanda a lokaci guda suka fitar da sabuntawa don gyara lahani a cikin samfuran su. An aiwatar da kariyar kai hari a cikin sakewa
, , , .
Harin ya dogara ne akan maharin ta yin amfani da buƙatun da ke nuni zuwa ga adadi mai yawa na bayanan ƙididdiga na NS waɗanda ba a iya gani a baya, waɗanda aka ba da ƙayyadaddun suna, amma ba tare da tantance bayanan manne tare da bayani game da adiresoshin IP na sabar NS a cikin martani ba. Misali, maharin yana aika tambaya don warware sunan sd1.attacker.com ta hanyar sarrafa uwar garken DNS da ke da alhakin yankin attacker.com. Dangane da buƙatar mai warwarewa ga uwar garken DNS na maharin, ana ba da amsa wanda ke ba da shawarar ƙaddamar da adireshin sd1.attacker.com zuwa uwar garken DNS wanda aka azabtar ta hanyar nuna bayanan NS a cikin martani ba tare da bayyana sabar IP NS ba. Tunda ba a ci karo da sabar NS ɗin da aka ambata a baya ba kuma ba a ƙayyade adireshin IP ɗin sa ba, mai warwarewa yana ƙoƙarin tantance adireshin IP na sabar NS ta hanyar aika tambaya zuwa uwar garken DNS na wanda aka azabtar da ke aiki da yankin da aka yi niyya (wanda aka azabtar.com).
Matsalar ita ce maharin na iya ba da amsa tare da babban jerin sabbin sabar NS maras maimaitawa tare da sunayen yanki na ƙagaggun waɗanda ba su wanzu ba (fake-1.victim.com, fake-2.victim.com,... fake-1000. wanda aka azabtar. com). Mai warwarewa zai yi ƙoƙarin aika buƙatun zuwa uwar garken DNS na wanda aka azabtar, amma zai sami amsa cewa ba a samo yankin ba, bayan haka zai yi ƙoƙarin tantance uwar garken NS na gaba a cikin jerin, da sauransu har sai ya gwada duk abubuwan. Bayanan NS da maharin ya lissafa. Don haka, don buƙatar maharin guda ɗaya, mai warwarewa zai aika buƙatun da yawa don tantance rundunonin NS. Tunda ana samar da sunayen uwar garken NS ba da gangan ba kuma suna komawa zuwa wuraren da ba su wanzu ba, ba a dawo da su daga ma'ajin kuma kowane buƙatu daga maharin yana haifar da buƙatun buƙatun zuwa uwar garken DNS da ke hidima ga yankin wanda abin ya shafa.
Masu bincike sunyi nazarin matakin rashin lahani na masu warwarewar DNS na jama'a ga matsalar kuma sun ƙaddara cewa lokacin da ake aikawa da tambayoyin zuwa mai warwarewar CloudFlare (1.1.1.1), yana yiwuwa a ƙara yawan fakiti (PAF, Fakitin Amplification Factor) da sau 48, Google (8.8.8.8) - sau 30, FreeDNS (37.235.1.174) - sau 50, OpenDNS (208.67.222.222) - sau 32. Ana lura da ƙarin alamun alama don
Mataki na 3 (209.244.0.3) - sau 273, Quad9 (9.9.9.9) - sau 415
SafeDNS (195.46.39.39) - sau 274, Verisign (64.6.64.6) - sau 202,
Ultra (156.154.71.1) - 405 sau, Comodo Secure (8.26.56.26) - 435 sau, DNS.Watch (84.200.69.80) - 486 sau, da Norton ConnectSafe (199.85.126.10) - 569 sau. Don sabobin da ke kan BIND 9.12.3, saboda daidaitawar buƙatun, matakin riba zai iya kaiwa zuwa 1000. A cikin Knot Resolver 5.1.0, matakin riba yana kusan sau da yawa (24-48), tun lokacin da aka ƙaddara Ana yin sunaye na NS bi-da-bi-da-bi kuma ya dogara akan iyakar ciki akan adadin matakan ƙudurin suna da aka yarda don buƙatu ɗaya.
Akwai manyan dabarun tsaro guda biyu. Don tsarin tare da DNSSEC amfani don hana cache na DNS saboda ana aika buƙatun tare da bazuwar sunaye. Ma'anar hanyar ita ce samar da martani mara kyau ba tare da tuntuɓar sabar DNS masu iko ba, ta amfani da kewayon dubawa ta hanyar DNSSEC. Hanya mafi sauƙi ita ce iyakance adadin sunaye waɗanda za a iya siffanta yayin aiwatar da buƙatun wakilai guda ɗaya, amma wannan hanyar na iya haifar da matsala tare da wasu saitunan da ake da su saboda ba a bayyana iyaka a cikin yarjejeniya ba.
source: budenet.ru