SIDN Labs, together with other parties, has described a vulnerability in dns that could be used to exploit resolvers for ddos attacks. The researchers have named the vulnerability TsuNAME and made a fix available.
According to the researchers, tsuNAME occurs when resolvers misconfiguration, which can cause cyclic dependency or mutual dependency. In their report, the researchers give an example of a resolver containing server data that points example.org to cat.example.com and example.com to mouse.example.org. In that situation, resolvers cannot retrieve the IP addresses with the name server data.
Under certain circumstances, the misconfiguration can cause a flood of queries as resolvers keep sending DNS queries back and forth between the two domains. The researchers report that a cross-dependency configuration error in early 2020 caused the authoritative servers for New Zealand’s top-level country domain to experience 50 percent more traffic, from 800 million to 1.2 billion daily queries. All those extra queries were related to the two misconfigured domains. DNS uses caching to offload the authoritative servers, but if the resolver doesn’t cache the name server information, it contacts the servers much more often.
An attacker could exploit this vulnerability to cause ddos attacks. Old resolvers are particularly vulnerable, but Google’s public DNS resolver also turned out to be a source of repeated queries. Google has fixed the problem and Cisco has done the same with OpenDNS. The fix is to add code to resolvers so that they detect cyclic dependency and end the query loops. Administrators can check for mutual dependencies using the open source software CycleHunter. The vulnerability was investigated by SIDN Labs, in collaboration with InternetNZ and the USC Information Sciences Institute. They have set up a special TsuNAME page with further details.