A team of researchers has recently shared insights into TsuNAME vulnerability risking DNS servers. As they observed, exploiting the vulnerability potentially allows an adversary to conduct denial-of-service (DoS) attacks against target servers.
TsuNAME Vulnerability Affecting DNS Servers
Explaining the details of TsuNAME in a research paper, the researchers stated that the vulnerability affects DNS servers due to cyclic dependency. This error arises due to misconfiguration with NameServer (NS) records that define the authoritative servers for a domain.
Under normal circumstances, NS records let the DNS resolver fetch results by pointing to the authority servers. However, if two delegations in NS records point to each other, a misconfiguration occurs, resulting in the DNS resolver failing to find the authoritative server and the IP address.
That’s where TsuNAME flaw resides. Upon detecting misconfiguration in the cyclic dependent NS records, the DNS resolver begins to loop, eventually falling into a DoS state.
As state in their paper,
TsuNAME occurs when domain names are misconfigured with cyclic dependent DNS records, and when vulnerable resolvers access these misconfigurations, they begin looping and send DNS queries rapidly to authoritative servers and other resolvers.
Exploiting TsuNAME allows an adversary to conduct DDoS attacks against top-level domains (TLDs) and authoritative DNS servers.
Alongside the research paper, the researchers have also shared the details of the vulnerability on a dedicated web page.
Recommended Mitigations
Before publicly disclosing the vulnerability, the researchers responsibly disclosed it to the relevant developers.
Following their report, Google and Cisco – two prominent public DNS resolver developers – addressed the bug. Whereas, NLnetLabs and PowerDNS also responded to the matter in their advisories.
Besides, the vulnerability still risks old resolver software. Thus, the researchers have also publicly shared “CycleHunter” – a tool that authoritative server operators may use to detect and remove cyclic dependencies in DNS zones. This tool is available at GitHub.
The researchers have also released a detailed advisory on TsuNAME and the recommended mitigation for all resolver operators.