An Attack-in-Depth Analysis of multicast DNS and DNS Service Discovery

Multicast DNS and DNS Service Discovery are two protocols widely used for Zero Configuration Networking purposes from several different devices and vendors. These two protocols are also the basis for other services, which offer even remote access capabilities (“Back to My Mac” is a notable example). Due to their objective of assisting Zero Configuration Networking, these protocols, which assume a “cooperating participants” environment, have some inherent weaknesses, like the “generous” broadcasting of a lot of information, and the use of easily “spoofable” messages. While these problems have been identified and related research has been published, a complete and in-depth threat analysis of all the potential attacking possibilities has not been presented. This paper aims at filling this gap by providing a thorough study of the attack surface of these two protocols. By following closely the RFC specifications, potential attack vectors and specific testing scenarios are identified, which are examined against real life implementations. Specifically, these attacks are tested against popular devices, implementations and Operating Systems by using a tool specifically developed for this purpose, both for IPv4 and IPv6 environments. As it is shown, if this “cooperating participants” environment cannot be guaranteed, the use of such protocols should highly be reconsidered.

About the Speaker