Iqela labaphandi abavela kwiYunivesithi yaseCalifornia eRiverside bakhululiwe Kwiintsuku ezithile ezidlulileyo eyahlukileyo entsha yohlaselo lwe-SAD DNS esebenza nangona ukhuseleko olongeziweyo kunyaka ophelileyo ukubhloka ukuba sesichengeni kwe-CVE-2020-25705.
Indlela entsha ngokubanzi kufana nokuba sesichengeni kunyaka ophelileyo kwaye kwahlulwa kuphela ngokusetyenziswa kohlobo olwahlukileyo lweepakethe I-ICMP yokuqinisekisa izibuko ze-UDP ezisebenzayo. Uhlaselo olucetywayo yenza kube nokwenzeka ukufaka endaweni yedata dummy kwindawo efihlakeleyo yomncedisi we DNS, enokusetyenziselwa ukonakalisa idilesi ye-IP yesizinda esingenasizathu kwi-cache kwaye iqondise kwakhona iifowuni kwi-domain kumncedisi womhlaseli.
Indlela ecetywayo iyasebenza kuphela kwi-network ye-Linux stack Ngenxa yoqhagamshelo lwayo kwizinto ezikhethekileyo ze-ICMP yokusetyenzwa kwepakethe kwi-Linux, isebenza njengomthombo wokuvuza kwedatha eyenza lula ukumiselwa kwenombolo ye-UDP port esetyenziswa ngumncedisi ukuthumela isicelo sangaphandle.
Ngokutsho kwabaphandi abachonge ingxaki, ukuba sesichengeni kuchaphazela malunga ne-38% yabasombululi abavulekileyo kwinethiwekhi, kuquka neenkonzo ezidumileyo zeDNS njenge-OpenDNS kunye ne-Quad9 (9.9.9.9). Kwisoftware yeseva, uhlaselo lunokuqhutywa kusetyenziswa iipakethe ezifana ne-BIND, Unbound, kunye ne-dnsmasq kwiseva yeLinux. Iiseva ze-DNS ezisebenza kwiinkqubo zeWindows kunye ne-BSD azibonisi ngxaki. IP spoofing kufuneka isetyenziswe ukugqiba ngempumelelo uhlaselo. Kuyimfuneko ukuba kuqinisekiswe ukuba i-ISP yomhlaseli ayivaleli iipakethi ezinedilesi ye-IP yomthombo oyispoofed.
Njengesikhumbuzo, uhlaselo I-SAD DNS ivumela ukudlula ukhuseleko olongezelelweyo kwiiseva ze-DNS ukuvala indlela ye-DNS cache yetyhefu yakudala ecetywayo ngo-2008 nguDan Kaminsky.
Indlela ye-Kaminsky ilawula ubungakanani obungahoywanga bombuzo we-ID ye-DNS ye-ID, eyi-bits ye-16 kuphela. Ukufumana isichongi setransekshini esichanekileyo se-DNS esifunekayo ukumosha igama lenginginya, thumela nje malunga ne-7.000 yezicelo kwaye ulinganise malunga ne-140.000 yeempendulo zobuxoki. Uhlaselo lubilisa ukuthumela inani elikhulu leepakethi eziboshiweyo ze-IP kwinkqubo Isisombululo seDNS esinezifanisi zentengiselwano zeDNS ezahlukeneyo.
Ukukhusela kolu hlobo lohlaselo, Abavelisi beseva ye-DNS iphumeze unikezelo olungakhethiyo lwamanani ezibuko lomnatha umthombo apho izicelo zesisombululo zithunyelwa khona, eyenzelwe ubungakanani obungonelanga besazisi. Emva kokuphunyezwa kokhuseleko lokuthumela impendulo ye-dummy, ngaphezu kokukhethwa kwe-identifier ye-16-bit, kuye kwafuneka ukuba ukhethe enye yeechweba ezingamawaka angama-64, eyandisa inani leenketho zokukhetha kwi-2 ^ 32.
Indlela I-SAD DNS ikuvumela ukuba wenze lula ukuzimisela kwenombolo ye-network port kunye nokunciphisa uhlaselo kwindlela ye-classical Kaminsky. Umhlaseli unokugqiba ukufikelela kwizibuko ze-UDP ezingasetyenziswanga nezisebenzayo ngokuthatha inzuzo yolwazi oluvuzayo malunga nomsebenzi we-port yenethiwekhi xa kusetyenzwa iipakethi zokuphendula ze-ICMP.
Ukuvuza kolwazi okuvumela ukuba uchonge ngokukhawuleza amachweba e-UDP asebenzayo ngenxa yesiphene kwikhowudi yokusingatha iipakethi ze-ICMP ngokuhlukana (i-ICMP i-fragmentation efunekayo iflegi) okanye uqondise kwakhona (i-ICMP iqondise i-flag) izicelo. Ukuthumela iipakethi ezinjalo kutshintsha imeko ye-cache kwi-stack yomsebenzi womnatha, okwenza ukuba kwenzeke, ngokusekelwe kwimpendulo yomncedisi, ukumisela ukuba yeyiphi i-port ye-UDP esebenzayo kwaye engeyiyo.
Utshintsho oluthintela ukuvuza kolwazi lwamkelwe kwi-Linux kernel ekupheleni kuka-Agasti (Ukulungiswa kufakwe kwi-kernel 5.15 kunye nohlaziyo lukaSeptemba lwamasebe e-LTS e-kernel.) Isisombululo kukutshintsha ekusebenziseni i-SipHash i-algorithm ye-hash kwi-caches yenethiwekhi endaweni ye-Jenkins Hash.
Okokugqibela, ukuba unomdla wokwazi okungakumbi ngayo, unokujonga kwi iinkcukacha kwikhonkco elilandelayo.