SAD DNS Explained

Researchers from UC Riverside and Tsinghua University have announced a new attack against the Domain Name System (DNS) called SAD DNS (Side channel AttackeD DNS). This attack leverages recent features of the networking stack in modern operating systems to allow attackers to revive a classic attack category: DNS cache poisoning. The researchers contacted Cloudflare and other major DNS providers, and 1.1.1.1 Public Resolver is no longer vulnerable to this attack. This post explains what the vulnerability was, how it relates to previous attacks of this sort, what mitigation measures have been taken to protect users, and future directions the industry should consider to prevent this class of attacks from being a problem in the future.