A new vulnerability in the architecture of the global Domain Name System (DNS) was brought to light. By a team of Israeli researchers. The team also published a paper highlighting how this flaw could be leveraged with an attack. Dubbed as NXNSAttack to bring down target websites. A vulnerability management solution can fix this.
A DNS Server is a computer server that holds a database storing IP addresses and their corresponding hostnames. The main functionality of a DNS Server involves the translation of hostnames to the IP addresses. When you enter a domain name like ‘secpod.com’ in a browser, the IP address associated with this site returned by the DNS Server. The browser then obtains the website content by communicating with the CDN Edge servers or origin servers through this address. A type of DNS Server that uses recursive requests is a recursive DNS Server. In simpler terms, when it fails to find an address for an incoming request from a client. A Recursive DNS Server tries to find the address by communicating with other DNS Servers. Auto patching will be helpful here.
The vulnerability arises due to missing glue records, i.e., NS (Name Server) referral response that contains nameservers but without their corresponding IP addresses. When a DNS recursive resolver receives such responses, it could result in a highly unanticipated amount of messages involved in the resolution process. This vulnerability exploited by an attack known as the NXNSAttack (Non-eXistent Name Servers Attack) to cause Distributed Denial of Services (DDOS). This attack launched using only a handful of devices.
When a recursive resolver receives an incoming request. It tries to find the address in its local cache and if it fails, it starts recursively querying the other servers. When the address is still not found, the Authoritative DNS server comes into play. These servers configured from the source and store the domain-specific original zone records. The working of these servers involves a delegation principle where an authoritative nameserver can delegate. Or redirect a request to multiple authoritative nameservers. This delegation response contains only the name of the alternative authoritative nameservers and lacks the IP addresses.
The NXNSAttack takes advantage of the delegation feature and basically works as follows:
- An attacker sets up a sub-domain, like “hacker.com”. This managed by an authoritative DNS server, which controlled by the attacker.
- As the recursive resolver fails to find an IP address, it queries a series of servers with the request ultimately redirected to the attacker-controlled authoritative DNS server.
- The malicious authoritative server follows the delegation principle and responds with a list consisting of a huge number of sub-domains.
- The recursive DNS server then redirects the original request to the entire list of sub-domains, resulting in massive traffic at the authoritative DNS server of the victim.
An attacker could mount DDOS attacks against both recursive resolvers and authoritative servers and cause massive disruption in global internet traffic until websites forced to go offline.
The research team claimed that most of the DNS providers informed about the flaw months ago and their servers updated. The list includes ISC BIND (CVE-2020-8616), NLnet labsUnbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), CZ.NIC Knot Resolver (CVE-2020-12667), Cloud-flare, Google, Amazon, Microsoft, Oracle (DYN), Verisign, IBM Quad9 and ICANN.
Currently SanerNow detects the vulnerability in our supported products and patches if the vendor released patches are available. We will track this vulnerability for any further updates, as more CVEs and patches become available. SanerNow will also continue updated to detect and patch the same.