TsuNAME Vulnerability Can Be Exploited for DDoS Attacks on DNS Servers
Some DNS resolvers are affected by a vulnerability that can be exploited to launch distributed denial-of-service (DDoS) attacks against authoritative DNS servers, a group of researchers warned this week.
The flaw, dubbed TsuNAME, was discovered by researchers at SIDN Labs (the R&D team of the registry for .nl domains), InternetNZ (the registry for .nz domains), and the Information Science Institute at the University of Southern California.
Impacted organizations have been notified and given 90 days to take action before the vulnerability was disclosed. Google and Cisco, both of which provide widely used DNS services, have deployed patches for TsuNAME, but the researchers believe many servers are still vulnerable to attacks.
An attacker can abuse recursive resolvers affected by TsuNAME to send a large volume of queries to targeted authoritative servers, such as the ones of TLD operators.
TsuNAME occurs on servers where there is cyclic dependency, a configuration error caused by the NS records for two zones pointing to each other.
“TsuNAME occurs when domain names are misconfigured with cyclic dependent DNS records, and when vulnerable resolvers access these misconfigurations, they begin looping and send DNS queries rapidly to authoritative servers and other resolvers,” the researchers explained in a paper detailing the vulnerability.
They also explained in a separate advisory, “Resolvers vulnerable to TsuNAME will send non-stop queries to authoritative servers that have cyclic dependent records. While one resolver is unlikely to overwhelm an authoritative server, the aggregated effect from many looping, vulnerable recursive resolvers may as well do.”
Such an incident was observed in 2020, when authoritative servers for New Zealand’s .nz TLD saw an increase of 50 percent in queries. An analysis showed that the surge was caused by just two domains that were misconfigured with cyclic dependencies.
“Notice that a simple misconfiguration of two domains lead to 50% traffic growth. One may wonder what would happen if a motivated attack would carry out this with hundreds or thousands of domains,” the researchers said.
At least two other similar incidents were observed in the past years: one involving a European country code TLD (ccTLD), which recorded a tenfold traffic growth due to the incident; and one involving Google sending a large volume of queries to the servers of an anycast operator.
The researchers have shared recommendations for both authoritative server operators and resolver software developers, and they have also released an open source tool, named CycleHunter, that can be used by organizations to detect problematic configurations.
A dedicated website has been set up for the TsuNAME vulnerability.