A new vulnerability in the architecture of the global Domain Name System (DNS) was brought to light by a team of Israeli researchers. The team also published a paper highlighting how this flaw could be leveraged with an attack, dubbed as NXNSAttack to bring down target websites.
A DNS Server is a computer server that holds a database storing IP addresses and their corresponding hostnames. The main functionality of a DNS Server involves the translation of hostnames to the IP addresses. When you enter a domain name like ‘secpod.com’ in a browser, the IP address associated with this site is returned by the DNS Server. The browser then obtains the website content by communicating with the CDN Edge servers or origin servers through this address. A type of DNS Server that uses recursive requests is a recursive DNS Server. In simpler terms, when it fails to find an address for an incoming request from a client, a Recursive DNS Server tries to find the address by communicating with other DNS Servers.
The vulnerability arises due to missing glue records, i.e., NS (Name Server) referral response that contains nameservers but without their corresponding IP addresses. When a DNS recursive resolver receives such responses, it could result in a highly unanticipated amount of messages involved in the resolution process. This vulnerability can be exploited by an attack known as the NXNSAttack (Non-eXistent Name Servers Attack) to cause Distributed Denial of Services (DDOS). This attack can be launched using only a handful of devices.
When a recursive resolver receives an incoming request, it tries to find the address in its local cache and if it fails, it starts recursively querying the other servers. When the address is still not found, the Authoritative DNS server comes into play. These servers are configured from the source and store the domain-specific original zone records. The working of these servers involves a delegation principle where an authoritative nameserver can delegate or redirect a request to multiple authoritative nameservers. This delegation response contains only the name of the alternative authoritative nameservers and lacks the IP addresses.
The NXNSAttack takes advantage of the delegation feature and basically works as follows:
- An attacker sets up a sub-domain, like “hacker.com”. This is managed by an authoritative DNS server, which is controlled by the attacker.
- As the recursive resolver fails to find an IP address, it queries a series of servers with the request ultimately being redirected to the attacker-controlled authoritative DNS server.
- The malicious authoritative server follows the delegation principle and responds with a list consisting of a huge number of sub-domains.
- The recursive DNS server then redirects the original request to the entire list of sub-domains, resulting in massive traffic at the authoritative DNS server of the victim.
An attacker could mount DDOS attacks against both recursive resolvers and authoritative servers and cause massive disruption in global internet traffic until websites are forced to go offline.
The research team claimed that most of the DNS providers had been informed about the flaw months ago and their servers have been updated. The list includes ISC BIND (CVE-2020-8616), NLnet labsUnbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), CZ.NIC Knot Resolver (CVE-2020-12667), Cloud-flare, Google, Amazon, Microsoft, Oracle (DYN), Verisign, IBM Quad9 and ICANN.
Currently SanerNow detects the vulnerability in our supported products and patches if the vendor released patches are available. We will track this vulnerability for any further updates, as more CVEs and patches become available. SanerNow will also continue to be updated to detect and patch the same.