Attackers are staging large-scale reflection-based distributed denial of service (DDoS) attacks against authoritative DNS servers.
By exploiting a newly-described DNS vulnerability, called TsuNAME, attackers target vulnerable DNS servers, known as recursive resolvers, and abuse them so that they flood authoritative servers with a stream of DNS queries.
Authoritative DNS servers, usually managed by government and private organizations, Internet Service Providers (ISPs), and tech giants, are servers that translate web domains to IP addresses and relay this information to recursive resolvers that are then accessed by regular users’ web browsers.
The TsuNAME DNS vulnerability is described on a dedicated website, which states:
“Resolvers vulnerable to TsuNAME will send non-stop queries to authoritative servers that have cyclic dependent records,” the researchers explain in their security advisory. [PDF]
While one resolver can’t overwhelm an authoritative server, attackers deploy many looping, vulnerable recursive resolvers that can well do so. A possible impact of such an attack can be countrywide Internet outages if a country code top-level domain has been affected during the attack.
“What makes TsuNAME particularly dangerous is that it can be exploited to carry out DDoS attacks against critical DNS infrastructure like large TLDs or ccTLDs, potentially affecting country-specific services,” researchers explain in a research paper [PDF].
Fortunately, popular resolvers such as Unbound, KnotDNS, and BIND are not susceptible to TsuNAME.
However, attackers with access to multiple domains and a botnet can do a lot of damage, researchers warn. Mitigations are available for TsuNAME. Server operators have to make changes in recursive resolver software “by including loop detection codes and caching cyclic dependent records.”
Authoritative server operators can also take measures to decrease the risk of TsuNAME attacks. Researchers advise using the open-source CycleHunter tool that can detect and fix cyclic dependencies in DNS zones.
The researchers have already used CycleHunter on 184 million domains in seven TLDs and detected 44 likely misconfigured NS records on roughly 1,400 domain names that could be targeted by TsuNAME threat actors.