Researchers identified a DNS vulnerability called “TsuNAME”. This vulnerability affects DNS resolvers and can be exploited to attack authoritative servers.
The authoritative DNS servers translate web domains to IP addresses and pass this information to recursive DNS servers that get queried by regular users’ web browsers when trying to connect to a specific website.
It is generally managed by both government and private organizations, including Internet Service Providers (ISPs) and worldwide tech giants.
Resolvers vulnerable to TsuNAME will send non-stop queries to authoritative servers that have cyclic dependent records. While one resolver is unlikely to overwhelm an authoritative server, the aggregated effect from many looping, vulnerable recursive resolvers may as well do.
The TsuNAME vulnerability allows for an adversary to exploit vulnerable recursive resolvers, which will then send a very large volume of queries to the targeted authoritative servers.
“TsuNAME occurs when domain names are misconfigured with cyclic dependent DNS records, and when vulnerable resolvers access these misconfigurations, they begin looping and send DNS queries rapidly to authoritative servers and other resolvers,” the researchers mention in the security advisory.
As one resolver is unlikely to overwhelm an authoritative server, the aggregated effect from many looping, vulnerable recursive resolvers may as well do.
A recursive DNS resolver is one of the core components involved in DNS resolution, i.e., converting a hostname such as www.google.com into a computer-friendly IP address like 126.96.36.199.
To achieve this, it responds to a client’s request for a web page by making a series of requests until it reaches the authoritative DNS nameserver for the requested DNS record. The authoritative DNS server is similar to a dictionary that holds the exact IP address for the domain that’s being looked up.
With TsuNAME, the misconfigurations during domain registration can create a cyclic dependency such that nameserver records for two zones point to each other, leading vulnerable resolvers to “simply bounce back from zone to zone, sending non-stop queries to the authoritative servers of both parent zones,” thereby overwhelming their parent zone authoritative servers.
To mitigate the traffic surge from resolvers to authoritative servers caused by the TsuNAME vulnerability, resolver operators should guarantee that their resolvers:
- do not loop in the presence of cyclic dependencies
- cache the results of cyclic dependent records.
Reports mention TsuNAME events affecting an EU-based ccTLD that increased the incoming DNS traffic by a factor of 10 due to just two domains with a cyclic dependency misconfiguration.
To reduce the impact of the attack, researchers have published an open-source tool called CycleHunter that allows for authoritative DNS server operators to detect cyclic dependencies.
The study also analyzed 184 million domains spanning seven large top-level domains and 3.6 million distinct nameserver records, uncovering 44 cyclic dependencies used by 1,435 domain names. “If a DNS zone has no cyclically dependent NS records at time t, it means that this zone is not vulnerable at only that particular time t. We therefore also recommend that registrars run CycleHunter regularly, for instance, as part of their domain name registration process.”, researchers conclude.