A New DNS Bug Called TsuNAME Could Be Used to DDoS Key DNS Servers
A Newly DNS Vulnerability Is Distributing Denial of Service Attacks and Is Targeting Authoritative DNS Servers.
This specific DNS vulnerability is distributing DDoS attacks, whilst targeting authoritative DNS servers. The targeted servers and their protocols are the ones translating web domains to IP addresses and passing this info to recursive DNS servers.
The recursive DNS servers are meant to get queried, or “asked permission” by regular users’ web browsers when trying to connect to a specific website.
This type of server is commonly managed by Government or Private Organizations such as national Internet Service Providers (ISPs) but also by Worldwide Tech Giants alike.
On May 6th researchers employed by multiple organizations publicly disclosed tsuNAME.
What Is TsuNAME?
TsuNAME is a vulnerability discovered in the DNS resolver software and researchers found that this can actually be “weaponized” in order to carry out DDoS attacks against authoritative DNS servers.
It’s no wonder the vulnerability has also a dedicated website. Here is where the researchers are publicly disclosing tsuNAME, following the responsible disclosure guidelines, therefore notifying vendors and operators 90 days prior to the public disclosure.
How TsuName Operates?
Some DNS resolvers software were found starting to loop when the encountered domain names that are misconfigured with cyclically dependent NS records, this is the loop that can be used against authoritative servers.
An event observed in 2020 led the total traffic to grow by 50%, tsuName being able to make an EU-based ccTLD experienced 10x traffic growth due to the cyclic dependent misconfiguration.
What Mitigation Measures Are Available?
Considering the simple reasoning that attackers could do a lot more damage than having done so far – if they get access to multiple domains and a botnet and choose to misconfigure their domains and start probing open resolvers, it’s fortunate to know that TsuName mitigations exist.
The mitigations discovered require changes to the recursive resolver software “by including loop detection codes and caching cyclic dependent records.”
The authoritative server operators are also able to reduce the impact of tsuName attacks by using the open-source CycleHunter tool.
This specific tool is meant to help prevent such events and works by detecting and pre-emptively fixing cyclic dependencies in their DNS zones.
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
The researchers have already examined around 184 million domains in seven TLDs. This action allowed them to detect 44 cyclic dependent NS records, that were caused most probably by misconfigurations.
It’s important to note that at this time, tsuNAME appears to be just a bug that manifested by accident, with no malicious or intentional attacks being registered so far.