Pierluigi Paganini May 09, 2021

A flaw in some DNS resolvers, tracked as TsuNAME, can allow attackers to launch DDoS attacks against authoritative DNS servers.

Researchers at SIDN Labs (the R&D team of the registry for .nl domains), InternetNZ (the registry for .nz domains), and the Information Science Institute at the University of Southern California has discovered a vulnerability, named TsuNAME, in some DNS resolvers.

The flaw can be exploited by attackers to launch distributed denial-of-service (DDoS) attacks against authoritative DNS servers.

The experts examined the specific case of cyclic dependency, an error that occurs when NS records for two delgations point to each other. NS records define authoritative servers used to resolve a domain, but when a cyclic dependency occurs, the two authoritative servers cannot definitively resolve the domain.

“TsuNAME occurs when domain names are misconfigured with cyclic dependent DNS records, and when vulnerable resolvers access these misconfigurations, they begin looping and send DNS queries rapidly to authoritative servers and other resolvers (we observe up to 5.6k queries/s).” reads the research paper published by the experts.

The researchers disclosed the tsuNAME flaw during the DNS OARC35 workshop and shared their findings with impacted organizations giving 90 days to address it before the vulnerability was disclosed.

The experts discovered the flaw while analyzing production data from .nz, the country-code top-level domain (ccTLD) of New Zealand. Experts discovered that two misconfigured domains where the root cause of a 50% increase on overall traffic volume for the .nz’s authoritative servers. The experts reproduced TsuNAME using their own configuration showing how to exploit it to overwhelm any DNS Zone.

“Resolvers vulnerable to TsuNAME will send non-stop queries to authoritative servers that have cyclic dependent records. While one resolver is unlikely to overwhelm an authoritative server, the aggregated effect from many looping, vulnerable recursive resolvers may as well do.” reads an advisory published by the researchers.

Google has already addressed the TsuNAME issue, but many other servers are still vulnerable to DDoS attacks.

The researchers have provided the following recommendations for resolver operators:

“To mitigate the traffic surge from resolvers to authoritative servers caused by the TsuNAME vulnerability, resolver operators should guarantee that their resolvers (i) do not loop in the presence of cyclic dependencies and (ii) cache the results of cyclic dependent records” continues the advisory.

The experts also provided recommendations for authoritative server operators to mitigate the flaw, they suggest detecting and removing cyclic dependencies from their zones. Experts also provided an open-source tool, named CycleHunter, that reads zone files and scrutinize NS records searching for cyclic dependencies.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, TsuNAME)

[adrotate banner=”5″]

[adrotate banner=”13″]