Some DNS resolvers are stiff by a vulnerability that can be exploited to launch distributed denial-of-service (DDoS) assaults against authoritative DNS servers, a group of researchers warned this week.
The damage, dubbed TsuNAME, was discovered by researchers at SIDN Labs (the R&D team of the registry for .nl disciplines), InternetNZ (the registry for .nz domains), and the Information Science Institute at the University of Southern California.
Struck organizations have been notified and given 90 days to deprecate action before the vulnerability was disclosed. Google and Cisco, both of which demand widely used DNS services, have deployed patches for TsuNAME, but the researchers hold many servers are still vulnerable to attacks.
An attacker can abuse recursive resolvers sham by TsuNAME to send a large volume of queries to targeted authoritative servers, such as the ones of TLD big-shots.
TsuNAME occurs on servers where there is cyclic dependency, a configuration fluff caused by the NS records for two zones pointing to each other.
“TsuNAME occurs when property names are misconfigured with cyclic dependent DNS records, and when W resolvers access these misconfigurations, they begin looping and send DNS questions rapidly to authoritative servers and other resolvers,” the researchers explained in a periodical detailing the vulnerability.
They also explained in a separate advisory, “Resolvers unprotected to TsuNAME will send non-stop queries to authoritative servers that own cyclic dependent records. While one resolver is unlikely to overwhelm an sanctioned server, the aggregated effect from many looping, vulnerable recursive resolvers may as trickle do.”
Such an incident was observed in 2020, when authoritative servers for New Zealand’s .nz TLD saw an gain of 50 percent in queries. An analysis showed that the surge was caused by solely two domains that were misconfigured with cyclic dependencies.
“Note that a simple misconfiguration of two domains lead to 50% traffic excrescence. One may wonder what would happen if a motivated attack would release out this with hundreds or thousands of domains,” the researchers said.
At paltry two other similar incidents were observed in the past years: one embodying a European country code TLD (ccTLD), which recorded a tenfold movement growth due to the incident; and one involving Google sending a large volume of problems to the servers of an anycast operator.
The researchers have shared recommendations for both faithful server operators and resolver software developers, and they have also released an advertise source tool, named CycleHunter, that can be used by organizations to feel problematic configurations.
A dedicated website has been set up for the TsuNAME vulnerability.
Tied up: At Least 100 Million Devices Affected by “NAME:WRECK” DNS Harms in TCP/IP Stacks
Related: NSA, DHS Issue Guidance on Protective DNS
Related: CISA Cause to remembers Federal Agencies to Use Its DNS Service