document DNS spoofing vulnerability (#206)

* document dnsspoof vuln * fix relative url
aquasecurity · Oct 18, 2019 · b402922 · b402922
1 parent 1395389
commit b402922
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/docs/kb/KHV030.md b/docs/kb/KHV030.md
@@ -0,0 +1,23 @@
+---
+id: KHV030
+title: Possible DNS Spoof
+categories: [Identity Theft]
+---
+
+# KHV030 - Possible DNS Spoof
+
+## Issue description
+
+Your Kubernetes DNS setup is vulnerable to spoofing attacks which impersonate your DNS for malicious purposes.  
+In this case the exploited vulnerability was ARP spoofing, but other methods could be used as well.
+
+## Remediation
+
+Consider using DNS over TLS. CoreDNS (the common DNS server for Kubernetes) supports this out of the box, but your client applications might not.
+
+## References
+
+- [DNS Spoofing on Kubernetes Clusters](https://blog.aquasec.com/dns-spoofing-kubernetes-clusters)
+- [KHV020 - Possible Arp Spoof]({{ site.baseurl }}{% link kb/KHV020.md %})
+- [CoreDNS DNS over TLS](https://coredns.io/manual/toc/#specifying-a-protocol)
+- [DNS over TLS spec](https://tools.ietf.org/html/rfc7858)
diff --git a/src/modules/hunting/dns.py b/src/modules/hunting/dns.py
@@ -12,7 +12,7 @@
 class PossibleDnsSpoofing(Vulnerability, Event):
     """A malicous pod running on the cluster could potentially run a DNS Spoof attack and perform a MITM attack on applications running in the cluster."""
     def __init__(self, kubedns_pod_ip):
-        Vulnerability.__init__(self, KubernetesCluster, "Possible DNS Spoof", category=IdentityTheft)
+        Vulnerability.__init__(self, KubernetesCluster, "Possible DNS Spoof", category=IdentityTheft, vid="KHV030")
         self.kubedns_pod_ip = kubedns_pod_ip
         self.evidence = "kube-dns at: {}".format(self.kubedns_pod_ip)