It's Always DNS, I Mean BIND!

- Thanks, Sandro. Well, I don't know, how many of you use DNS? Can you raise your hand? Only three of you. Well, I think the amount is quite larger because I think every time you browse the web, you, I know, connect to some service on the internet, I think you use DNS. How many of you use Bind? Okay, we have few hands. The other ones are shy probably because maybe they did a little pitch so far. So it was, you know, fun times when they asked me, "Oh, should I congratulate your first patch?" So I told them, "Okay, patch first, then you have time to congratulate." So thanks. So I will talk about DNS because when there

is a problem and something is not working, probably it's always DNS. That's why I think you already know this story. If you've done any troubleshooting on the network or on the systems itself. So... Just maybe I will start with pressing this button which doesn't work. So maybe let's see here. Oh, it works with this one. In short, I'm coming from Marlin Cyber, which recently got this branding change because we were part of Diverto, I guess for Diverto you know, but everything still stays the same. So that means we just got the global strength and of course we are still doing IT and OT security here and on the global level as well. As Andras said, I think

I know half of the persons here, so I think there's no point that I introduce myself. You know what I'm doing, what I've done in the past, so I actually took some interesting facts for enjoyment. So I think I'm one of the rarest persons that being, you know, I hope you heard of CSIH, American Cyber Defense Agency. And I think I'm the rarest person who they recommend to use the tools. But also, you can see regularly that they have this using my software as well in different, you know, threat advisories. It's a, you know, benefit of being open source contributor and author. This one is my GitHub page. So you can read how... threat actors

are actually using your software, right? It's kind of interesting. So you can see it here and also somewhere with the paper cut as well, you could see they are using this reverse SOCKS 5, which I authored as well. And then again, you can see that even North Korea is using it, right? As you can see, yeah, it's a strange way to learn that you have users in North Korea. That's why I actually updated that software. few weeks ago because they saw "Oh, I have users in North Korea!" Yeah, but who knows what they actually added to it. But yeah, it's interesting. So, let's go further. I will go how it all started, go what is bind and

DNS. I think half of the room probably knows. I'll go through all of these things, hopefully. But I will also tell you the story what drones have with this thing, right? You would never connect drones with the DNS, probably. Sorry? Okay, let's go back. What? Is it DNS? Oh, could be. But you said real men use IP addresses, right? I will say real men use MAC addresses. So, let's see. So, how it started, right? You know, you start planning your weekend. Some normal people plan, you know, it will go somewhere outside, escape the city. But you know, sometimes I get from a colleague of mine, "Hey, let's look at this one." Sometimes when we test, we try to scratch the surface, not just of

what we are testing, but also below it. And he said, "Okay, this is my wish list." I said, "Okay, well, you could give me like find the zero-day in SSH, right? Okay, this is maybe much easier. Let's see." So I said, "Okay, this one is really like fast. Everybody saw it. Okay, I'll take the challenge, your wish is my command. So, why this one who doesn't know what is bind? Is there anyone who doesn't know? Well, probably he's shy, so he doesn't want to say. So, it's actually one of the most widely used DNS servers. Even root DNS servers are using it. And it actually allows that you translate these addresses like what human understands to something that machine will understand. So if you're

talking about IPv4, IPv6, it's something that's being translated. And it's open source software, so everybody can see the source. And actually it's developed and maintained by the Internet System Consortium, or ISC in short. So it's really standard DNS implementation across the planet, right? And yeah, so the first thing what I was thinking is, okay, If somebody was doing this for quite some time and there's a really lot of people looking at it, my first question was, are they covering all like dangerous inputs which is coming, right? And do they test all these things in the inputs? And the second question is, what new features were introduced recently? Like looking at the change log, git log, right? And everything. And yeah, maybe... Then come

up something like, hey, they have something new feature which they implemented and they mentioned something like drones. So they have introduced something called for identification of drones inside the bind. And it looked very interesting because it's a new feature of DNS. It's a live application, live service, which gets, of course, some new features and this is actually what they want to achieve is that they use already made directory server which is DNS and they introduced two new DNS record types it's breed and let's call it hierarchical host identity tag so first one is actually telling is let's go maybe with the second one first is is this drone legit and is it like a real and registered and then if you

get this information you could also see what he sends that it really is what it's handing what is supposed to send so you can check both of these using you know standard cryptography which is already known like public private keys and so on so this is actually the things and you can actually find it on complete draft is available here on this link so you can read it for yourself as well So they're actually just using DNS to actually you can identify the drones. So this answers the questions what it have with this lecture, right? DNS is actually now being drafted that you can actually identify the drones if they are of course, like it.

If they are not, probably you have the problem. How it looks like? You can see the typical DNS record type, right? And how it should look like in the zone file. When you actually decode it, it looks like standard ESN one, right? looks good for parsing problems, right? Fuzzing, right? Because it's ESN1. And if you just go a little bit of producing little bit of test cases, you come here that you actually see that you have problem when you create something which is smaller than three octets. Easy, right? So that affects actually these two DNS record types. It's breed and hit or that's hierarchical record type and that means that you can actually produce such thing, but that means you have the zone file and you

can load it and then of course something will happen strangely which will cause the crash. But the problem is of course this is the local file you have it on the disk, right? And if you look at this way If you look from the source point of view, what's the problem? Is they actually have this assert here, where they actually say it's totally same for the same DNS record types, where they actually say in the function, well, it should be lower, right? So they have some kind of, let's say, stop mechanism that you cannot alter further, let's say, decisions because of the assert. So the question here goes is, right? That is local, there's no real impact. You can just load the

zone file and that's it. Anybody have idea how to maximize the impact? Way to receive such invalid records over the network? One, two, three. Okay. It's actually, one of the things is actually doing the DNS zone transfer, right? So if you are somewhere up here and your primary DNS and if this one is like a secondary DNS, Probably you can do it. The problem is you have to configure a secondary DNS to actually ask for this primary DNS. So not every DNS is actually vulnerable by this type of view, right? But there is other things, right? These ISEE bind servers actually can be configured to be like only forwarding mode, but also in recursive mode that they actually ask other

DNS servers for this record. So now we are talking about maximizing this problem is by using recursive resolver of the victim to actually ask for these alternative things. So that means that bind have to be in two modes. One is in forwarder mode or recursive mode, so asking someone who can actually send this one. So these all three scenarios actually work. So that means you can actually create fake DNS, let's say, fake zone, actually specially crafted as you see it before. And then you can actually ask that DNS server to ask someone else what it is, right? And then when it receives and it tries to actually parse it, it will actually crash and then you will get no response. So this

is actually how you can maximize this impact and you can do it over the network. The first scenario is of course good for reproducing. But actually, these scenarios are actually dangerous because you can do it over the network, right? Any other scenario? Good, I covered all. So, maybe it will be easier for someone who is doing system administration of DNS by just looking at this thing. So, first, you need to have something like this one in your, let's say, attacker zone file. And then you can just, for example, ask for this DNS. record that recursive solver asks, right? And then you will see on the victim that is no longer responding because this happens. That means the assertion failure happened. That means the whole bind

is, you know, crashed. So that doesn't mean just one instance which is serving the request. That means complete because of the assert, how it works. So in short, this is actually causing the complete crash over the network. So if you look from the timeline point of perspective, between this wish list, it was like October 31, it was Friday, it was like, you know, Friday afternoon without the incident, what do you do, right? So you actually start doing, analyzing this, and actually the first crash, I think, I sent him, as you can see, on... 21:11. So that means like a four hours, seven minutes. Usually, before that, I will tell you that's impossible. I mean, it's like in a

Hollywood movie, right? Four hours till the first crash, till that you have proven that it's working. But now, since, you know, there is a gen-AI who can help you to actually come from the idea to the, you know, to this all happening, It's actually, you can ask Changelog that he goes through the Changelog and tell you what's wrong. You can ask, for example, to generate the harness for you, for the parts you think you are not covered. You can actually optimize and generate some of the test cases that are not existent. So you can really like do it very quickly. So that means in a, let's say, movie which lasts for four hours, maybe "Cleopatra" is one of them, which lasts

four hours and something, right? You can actually do it. Before that, I would tell you it's impossible, right? But now you can see the timeline, and the actors who were with me can confirm it's possible right now. So let's go at the submission process. It's actually very well documented here. It actually goes to the private tracker of ISE. You actually, you know, just follow the form and everything so they can understand the impact and they can reproduce the issue and everything. But of course, as you can see, everyone is now from underhand, it can help you. But on the other hand, you have a lot of these disclaimers. Please tell us if you're using AI. I think that's what impact done on

the Curl project. I think you already know that problems. And another thing is, of course, they ban such users. So, yeah, you have to prove it manually if it works and if it's really doing the impact. But one of the interesting questions is one below. I would expect such questions from intelligence agencies or something like that one, right? But this is one of the interesting questions they have on their forum for the bugs. So they can actually see how quickly they have to fix it, right? So, following these reporting instructions, of course, I didn't sleep. And I think I submitted it tomorrow morning, like seven something, and I got a response, okay, there's the general

automatic response in, you know, a few minutes. Okay, we got it, okay, great. Sounds perfect. But then the first response, oh, it did not sound like too much optimistic, right? He said, well, you know, this looks like you can just DDoS, like, do the like the nail of service of yourself go away right and he asked okay am I missing something or what's you know I don't understand the impact the problem is I actually sent the first example so they can reproduce the issue that only with the zone file so they can quickly do it right but they did not assess I thought okay they're experts they know what actually all the ways how they can access this parsing routine, not just from the network, but from

the local file and so on. So I just sent them something to reproduce quickly. And he said, "Well, sorry, this doesn't look good, right? So it could stop here, right? You are stupid, go away." Well, I told them, "Okay, thank you." So I made them like I had ready one another the solver, I tested it again. Okay, maybe I just was, you know, doing overnight and so on. So maybe I'm, you know, crazy. And I sent them like, okay, can you see this one? So please correct me, right? So it took some time actually once I sent this one. So, okay, something is happening, right? So it was like, okay, one day, nothing, second day, nothing. And then on Tuesday they actually sent, "Okay, yeah, I

also have to send like a..." He said, "Okay, I will not send late emails at night because we are in different time zones." He said, "Yeah, this is really the bug and yeah, we will address it soon, but let's take some time to fix it." So there was more exchanging between proof of concept, different ways how we can crash it and so on. So as you can see, sometimes you have to be persistent that it happens, right? The question is, right? Well, it's just a crash, it's not RCE, right? We want RCE, right? So, and the question is, why so sure it cannot be code execution, right? Because it's assert. You don't have to do so much, right? and they planted it

everywhere. So it's hard to actually get some kind of code execution or memory corruption type of bugs because it's planted everywhere. If you find something how to bypass this one, you have guaranteed speech at Black Hat, Defcon or whatever, right? And in case of DNS bind, I mean, impact is again pretty high. Why? Because it exits immediately with assertion failure. DNS does not work and that means it's dependent on all the services which works so the impact is quite high. So on the other hand it's really serious because it impacts the availability on quite high scale. And another question is, yeah, okay so we touched one why is it success. The other part of success is you know it's

this bind is actually fast with OSS files as well It's being inspected by some of the guys who are not with us anymore, but still inspire us all, like Dan Kaminski. And if you look from the CVS, which actually was in the bind, for example, for the last year, there's only like three ones, like three from the three organizations. One is like from Israel, the second one, I mean the third one is from Chinese, which have a very big pool of people who are doing cyber security. And this single university is really like a Chinese MIT. And really smart people are working there and most of them are working in teams. So it's really, you know, there is not like a single person doing research on that

one. I think with Gen-AI this can change. And as you can see, even with Google Big Sleep, with doing Google DeepMind and Project Zero doing their own research, it's still not being found. So that means, yeah, it can make an impact, right? And finding something like this one in such a big project, which is being really inspected by whole security community at large, makes a difference. If you look at the timeline, Finding the bug is actually, you know, this night somewhere over here, right? And the other things like talking with vendor, trying to find the fix and everything is actually taxed much larger. So if you think that finding the bug is the harder part, I would say it's not. You know,

talking with them, talking about the impact that they accept that it's really there and doing with them with the fix, it really takes some time.

As you can see, it took really some time to go through all these steps. It's actually good steps because they check, for example, the code that doesn't have the similar patterns somewhere else in the code and so on and so on, reporting to different parties. It all makes sense. But on the other hand, you can see there is a window of two months which could be, you know, this vulnerability could be exploited and someone could somehow get it and exploit it, but It did not happen. It's good. Of course, we contacted some of the customers who had large reliance of DNS. So they know advance like two months in advance. So knowing something that is a

problem two months in advance is really, I think, great advantage. But the other hand, yeah, the other ones who did not know, it's kind of quite a time to be exposed, right? The question is also, Is, you know, Bind the only one who is vulnerable for this? It's actually not. Why? Because they don't have this functionality. Bind was the first one to actually implement this functionality of drone identification using these methods just recently. So when we are talking about unbound, like PowerDNS, DNS mask or whatever, they are not because they are not having this feature. The question is actual appliances, right? Some of them had in the past ISE bind, so probably it's worth checking which ones are actually affected or

not. So that means Bluecoat, Infoblox, F5. This is really case-by-case basis mentioning this CVE and then looking at them. Most of these vendors actually have some kind of early vulnerability program where they pay ISE and they get the vulnerability maybe a few weeks before. So they have time to fix it, but if they are of course part of the program and paying some kind of a fee. But interesting actually surface, I think if this gets, you know, popular protocol for identifying drones, probably will be drone security products. Because they will all have to identify this drone, do something with it, so that means all this parsing of DNS part, ASN1 as well, and all these records could be also vulnerable, right? So this really affects this

drone security services or let's say protection as well or any kind of identification there. This is something that we can expect. Since I promised Ante to actually have something exclusivity, I actually did not release, you know, we released only advisory what you should do, what's the problem, but we didn't release like exploit code, let's call it proof of concept. So I'll make this script to actually make this DNS server available on GitHub after talk. It will be released together with how it can be run. So I hope you patched your DNS and bind servers. From the other hand, I don't know how much it makes sense anymore to have this delay between, you know, advisory, publication of CVE, and the

exploit code later. Because with GenAI, I played it a bit, gave him advisory, he could produce with some guidance complete exploitation part. So it will take some time. It's not longer than, you know, it still takes time, needs some guidance, but it's still short on this to really, you know, short time. And actually someone can actually weaponize it, right? So this is one of the questions which we should be asking ourselves, right? I know for example, which happened with React to Shell, right? And they said, "Oh, it's a disaster because they released examples of proof of code and exploits on the same day as the problem." So they didn't have time to patch. But on the other

hand, if you give GenAI the advisory with some guidance, I think it can be done even. So I don't know how much this makes sense anymore. Let's not make it easy for the attackers, right? So what someone who is affected have to do? These ones are affected, these ones are ready packages to upgrade, everything is ready. You just need to update your packages and don't forget to restart the service. And then of course you can test, I would say authenticated vulnerability scanning can help, but this script which I produced as a proof of contact can also help, but it has Problem because it will crash so you know it it works right on the other

hand if you do it on production It's a problem. So you have to careful decide what you want to do it, right? So yeah, then later with I think I personally didn't say okay, you can crash the internet. That's something that you know media Done it on there. I would say on their own yeah, even a creation one from the international stuff and even from the in the local media I translated this one for you and yeah it's actually I think I have to thank Leon and Lucian because they recognize this and connected the dots okay it's a bind you can crash like a I asked GPT it's like actually like this they predicted somewhere between 30 percent on the internet is running bind and some

other figures are saying like 20 percent so and some others say a higher percent and so on so I took like a middle ground it's 40 percent. Of course, this is not the only bug we actually found. There is a lot of these vulnerabilities which we found over even last year, this year as well. I'm glad that even some younger ones took, you know, a challenge and find some of them. I think if it's Anna's here, I think the last one is her. Yeah, she's here. So yeah, it's definitely, you know, there's plenty of things to do. So let's go to the lessons learned. So if you're a programmer, if you don't want that you get some kind of

a corruption exploitation and you know that the edge cases or something like what should not happen, maybe you can use this one. But usual cost is crash. So I don't know how much you care about availability or confidentiality. If you're a system administrator or architect, this is the reason why having secondary DNS with different software vendors, so not having two binds. I know it's easier to maintain two binds, right? But if you have one bind, one unbound, or something else which doesn't share the same code base, actually keep things running. And of course, keeping functionalities to minimum and updating software, as you can see, helps. And if you're a zero-day hunter, there's people who are

afraid of OSS fuzz because, oh, it's fuzz again, by the way, it doesn't make sense. It really doesn't have all the coverage. It runs really with old fuzzers. And even maintenance of such fuzzers and harnesses and everything, sometimes you can see that some of the projects are failing at running these fuzzing tools or harnesses does not compile because they update the code. So it really doesn't assure you there's no bugs there. So let's conclude. Even highly checked projects contain bugs because they introduce new features. The question is also when you're testing coverage of tests. DNS is a live project as any other, right? We still think, okay, that's it, right? We know there is DNS over HTTP, HTTPS. And, yeah, we are still dependent on DNS. As

you can see, if it doesn't work, a lot of things just stop. It's good because it took two months and no signal, you know. This did not get out, so that means everyone was professional. And for me, it's, you know, I can count this as a third of the Internet hacked, so I have to hack the other two thirds, right? It takes time. So, is there any questions?

While you're thinking, I have an inquiry. So I'm just curious. So you said, you know, for the recursive DNS resolvers, if the relaying part is like arm bound or power DNS or something, what will they do? Just relay, maybe drop, do something else? Who has to be... Well, depends how you configure these ones. If they know about this record or they will just return record unknown. Or if someone, it depends about internal logic, if this will be transferred to the local bind. So it really depends on the logic inside. Some of them just drop these unknown record types, but some of them are just forwarding. So yeah, that can be impactful as well. I see. Any questions? Thank you.

Which AI tool would you recommend for using with any kind of security analysis? Or which of the providers of AI tools would you recommend? So the question was which AI tool would I recommend for this one. I mean, I'm using really combination. I mean, using local ones. But that means also what I prefer is using actually coding agents. So that means like cloud code, Bientropic. And of course codecs. For these things Gemini did not prove good enough. Maybe they improved. But it's really like a question of, for example, if you're doing it today, that's the status. But maybe in a month they'll improve their bits and then again it's a different story. So I think it's best you use which one you like, right?

But the coding agents actually can help in a lot of these situations and can speed you up a lot, as you can see. Especially when you have to do harnesses, just reading the code and then doing that part which you need to test from the input side. So it really speeds you up, and coding agent is for that. So yeah, it's that one. Thanks. Anyone else? Don't be shy. I don't bite. Andromite. Yeah, he doesn't bite he binds. I know lame. I know I'm doing my best come on Okay, okay in that case rounds of applause. Oh, thank you Okay, the next one will be at 10 sharp so don't be late I