Conference:  Black Hat Asia 2023

Authors: Xiang Li

2023-05-12

Phoenix Domain is a general and novel attack that allows adversaries to maintain the revoked malicious domain continuously resolvable at scale, which enables an old, mitigated attack, Ghost Domain. Phoenix Domain has two variations and affects all mainstream DNS software and public DNS resolvers overall because it does not violate any DNS specifications and best security practices.The attack is made possible through systematically "reverse engineering" the cache operations of 8 DNS implementations, and new attack surfaces are revealed in the domain name delegation processes. We selected 41 well-known public DNS resolvers and proved that all surveyed DNS services are vulnerable to Phoenix Domain, including Google Public DNS and Cloudflare DNS. Extensive measurement studies were performed with 210k stable and distributed DNS recursive resolvers, and results show that even after one month from domain name revocation and cache expiration, more than 25% of recursive resolvers can still resolve it.The proposed attack provides an opportunity for adversaries to evade the security practices of malicious domain take-down. We have reported discovered vulnerabilities to all affected vendors and suggested 6 types of mitigation approaches to them. Currently, 7 DNS software providers and 15 resolver vendors, including BIND, Unbound, Google, and Cloudflare, have confirmed the vulnerabilities, and some of them are implementing and publishing mitigation patches according to our suggestions. In addition, 9 CVE numbers have been assigned. The study calls for standardization to address the issue of how to revoke domain names securely and maintain cache consistency.

Conference:  KubeCon + CloudNativeCon Europe 2023

Authors: Yong Tang

2023-04-21

The presentation discusses the relevance of DNS in Kubernetes clusters and the ways to contribute to the coding community.

• DNS is still relevant in Kubernetes clusters even with software-defined networking
• Contributing to the coding community can be done through GitHub, adding company name to adopt the project, and becoming a maintainer
• SDN allows for more flexibility in assigning IP addresses in a cluster

Conference:  KubeCon + CloudNativeCon Europe 2023

Authors: Thomas Graf

2023-04-21

The presentation discusses the importance of monitoring infrastructure using the Golden Signal Dashboard and Kubernetes Service Implementation.

• The Golden Signal Dashboard is a standard way of monitoring infrastructure for publicly available services.
• The four golden signals that matter are latency, traffic or throughput, errors, and saturation.
• Kubernetes Service Implementation allows for multiple pod replicas to be exposed via a single IP and DNS name.
• Network policies can cause problems that are hard to detect without proper observability tools.
• Hubble UI and Hubble Observe CLI are useful tools for troubleshooting network issues.

Conference:  KubeCon + CloudNativeCon Europe 2022

Authors: Laurent Bernaille, Elijah Andrews

2022-05-20

The presentation discusses a complex incident faced by Datadog in their Kubernetes environment, where they initially suspected DNS issues during rolling updates. However, after extensive debugging, they discovered that the issue was related to the connection tracking table used by the hypervisor in AWS instances.

• Datadog faced a complex incident in their Kubernetes environment
• Initially suspected DNS issues during rolling updates
• Extensive debugging revealed the issue was related to the connection tracking table used by the hypervisor in AWS instances
• Tried different instance types and sizes to address the issue
• Contacted AWS for more information on connection tracking limits

Conference:  KubeCon + CloudNativeCon North America 2021

Authors: Miek Gieben, Yong Tang, John Belamaric

2021-10-13

Best known for its ability to serve as the cluster DNS of Kubernetes, CoreDNS is a flexible and extensible DNS server with a focus on service discovery. The flexibility and extensibility of CoreDNS comes from its unique plugin-based architecture and its easy-to-use Corefile configurations. In this session, we will take a close look at the CoreDNS extension points for developers. We will learn how to build custom DNS applications based on CoreDNS, including: building a custom CoreDNS binary that includes external plugins; building a specialized binary that uses CoreDNS as a library; building your own CoreDNS plugin. We will also update the current state and the road map of CoreDNS for the near future.