A New DNS Vulnerability Has Been Discovered That Can Trigger a DDoS

January 30, 2022 by Jonas Lejon
A New DNS Vulnerability Has Been Discovered That Can Trigger a DDoS

At best, vulnerabilities can cause server performance issues, but at worst, when discovered by those with malicious intent, they can be exploited to cause much more harm.

Sometime in early 2021, data scientist Giovane Moura and his team at SIDN Labs discovered the vulnerability, which they’ve coined tsuNAME and have slowly and responsibly disclosed the issue to large DNS (Domain Name System) operators such as Google and Cisco.

How Does the Bug (or Exploit) Actually Work?

It’s my understanding that it’s essentially an infinite redirect loop (the more technical term: cyclic dependencies), only nastier. An example of how the issue can occur, as described by Giovane, is when two DNS records are misconfigured like so:

#.com zone
example.com NS cat.example.nl
#.nl zone:
example.nl NS dog.exmaple.com

It keeps snowballing into what essentially amounts to a DDoS (Distributed Denial of Service) attack.

How to Solve the Problem?

Giovane and his team have been incredibly diligent in researching, testing, disclosing, and resolving the issue. They’ve written and submitted several papers and reports about the issue, for example this draft to the IETF (Internet Engineering Task Force) and this paper that goes into great technical detail about the exploit.

They’ve developed a free and open source tool called CycleHunter to help system admins detect the problem if it should occur, and tsuNAME even has its own official site at tsuname.io. I’ve honestly never seen anyone so passionate about helping to solve such a problem. It’s both impressive and daunting.

Not all heroes run into burning buildings and have their “Ah shucks, anyone woulda done it.” moment in front of TV cameras. There are so many people behind the scenes keeping our day-to-day lives safe from chaos. People who keep our sewer ways clear, repair downed power lines, and yes, those who make sure our internet technologies are secure, something as important today as making sure our drinking water is clean.

The History of DNS

From Wikipedia:

The Domain Name System (DNS) is the hierarchical and decentralized naming system used to identify computers, services, and other resources reachable through the Internet or other Internet Protocol (IP) networks. The resource records contained in the DNS associate domain names with other forms of information. These are most commonly used to map human-friendly domain names to the numerical IP addresses computers need to locate services and devices using the underlying network protocols, but have been extended over time to perform many other functions as well. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

DNS isn’t just important, it’s the backbone of the entire internet. Unfortunately, it wasn’t really designed with security or privacy in mind. Even after over 35 years, things haven’t improved much on this front. What’s had to be done is rather than improving the DNS system itself, a new secure layer called DNS over HTTPS was employed by browsers. Firefox (often being at the forefront of adopted new security technologies) was the first to include it.

About DNS-over-HTTPS

When you type a web address or domain name into your address bar (example: www.mozilla.org), your browser sends a request over the Internet to look up the IP address for that website. Traditionally, this request is sent to servers over a plain text connection. This connection is not encrypted, making it easy for third-parties to see what website you’re about to access.

DNS-over-HTTPS (DoH) works differently. It sends the domain name you typed to a DoH-compatible DNS server using an encrypted HTTPS connection instead of a plain text one. This prevents third-parties from seeing what websites you are trying to access.

You can read about tsuNAME in more depth here.

Disclosure Timeline

  • 2021-02-05 Private Disclosure OARC34
  • 2021-02-22 Private Disclosure APTLD
  • 2021-02-23 Private Disclosure CENTR
  • 2021-03-04 Private Disclosure LACTLD
  • 2021-02-18–2021-05-05 Private Disclosure Private
  • 2021-05-06 Public Disclosure OARC35
  • 2021-05-06 Public Disclosure tsuname.io