Security researchers have found extreme domain name system (DNS) fixes that hackers may use to conduct constructive denial-of-service attacks on authoritative DNS servers. The bug they refer to as TsuNAME has been discovered by researchers from SIDN Labs and InternetNZ. The bug is a humongous reflection-based distributed denial of service (DDoS) amplification function attacking authoritative DNS servers.
Authoritative DNS servers are translated into IP addresses, such as 126.96.36.199, through web domains along like, www.google.com. One must realize the distinction between an authoritative and recursive DNS server to consider the context of the vulnerability and its functions.
Authoritative DNS servers, like Internet Service Providers (ISPs) and global tech giants, are usually operated by government and private sector organizations. Attackers trying to take advantage of the complexity of TsuNAME DNS target insecure recidivism resolutions to overload reputable servers, including large numbers of malicious DNS queries.
“Resolvers vulnerable to TsuNAME will send non-stop queries to authoritative servers that have cyclic dependent records,” the researchers explain in their security advisory.
“While one resolver is unlikely to overwhelm an authoritative server, the aggregated effect from many looping, vulnerable recursive resolvers may as well do.”
A potential effect after such an attack could be that authenticated DNS servers are downloaded, which may cause country-wide Internet interruption if a country code top-level domain (ccTLD) is impaired. It could be utilized to perform DDoS attacks on critical DNS infrastructure and services such as large TLDs or ccTLDs, which possibly impact country resources according to primary research materials which makes TsuNAME especially more dangerous.
“We observed 50% traffic increases due to TsuNAME in production in .nz traffic, which was due to a configuration error and not a real attack,” the researchers added.
TsuNAME also had events affecting an EU-based ccTLD which raised incoming DNS traffic by a factor of 10 due to only two domains that are misconfigured by cyclical dependence. An intruder with access to several fields and a botnet can cause even more damage if their domains are misconfigured and open resolvers are tested.
The impact of TsuNAME attacks can also be reduced by authoritative server managers using the open-source CycleHunter tool that avoids such incidents, detects, and prevents the pre-emptively fixing of cyclical dependencies in their DNS areas.