Monday, February 17, 2025
HomeDNSTsuNAME - DNS Bug That Allow Hackers to DDoS Authoritative DNS Servers

TsuNAME – DNS Bug That Allow Hackers to DDoS Authoritative DNS Servers

Published on

SIEM as a Service

Follow Us on Google News

Researchers encountered a new vulnerability named “TsuNAME” in DNS Servers that allows attackers to exploit DDoS authoritative DNS servers.

The TsuNAME bug specifically affects the DNS resolvers that lead to exploiting the authoritative servers due to recursive resolvers by sending an extremely large amount of queries to the targeted authoritative servers.

The recursive resolver is also known as the DNS recursor that sits in the middle of the client and the DNS nameserver for helping the DNS server to communicate with other DNS servers to find the IP address and return to the client who is trying to connect with any website through a browser.

How does Attackers Exploit TsuNAME Bug

To exploit the TsuNAME vulnerability, attackers will initiate a large amount of malicious queries to the authoritative DNS servers that contain a Cyclic Dependency, an NS configuration error.

It leads to affect the ccTLD, TLDs and carry out a large amount of DDoS attacks on the DNS servers and also potentially affecting country-specific services.

Researchers explained that there are 3 things should necessarily presents during the attack of the following:-

  1. Cyclic dependent NS records
  2. Vulnerable recursive resolvers
  3. User queries to start/drive the process

During the investigation, researchers experience a large volume of traffic, roughly increase, from 800M to 1.2B daily queries ag .nz ccTLD(country code top-level domain).

According to the report “Upon investigation, the .nz operators determined that the cause of this surge in traffic was due to a configuration error in two domains only. The error was that the two domains were misconfigured with cyclic dependencies”

Soon after encountered this issue, the event only stopped after 16 days when .nz operators removing the cyclic dependency by removing the affected delegation.

“Due to TsuNAME bug, researchers also found that there is 50% traffic growth on .nz due to misconfiguration of 2 domains, and evident with an anonymous European ccTLD experienced 10x traffic growth when also two domains were misconfigured with cyclic dependencies.”

TsuNAME event at an Anonymous EU-based ccTLD operator.

Mitigation for TsuNAME Vulnerability

There is 2 important security measure that recommended by the researchers To mitigate the traffic surge from resolvers to authoritative servers caused by the TsuNAME vulnerability.

  • Do not loop in the presence of cyclic dependencies
  • Cache the results of cyclic dependent records.

Also, Authoritative server operators can use the open-source tool called ” CycleHunter” to prevent their DNS server from TsuNAME and reduce the impact and being compromised by hackers.

“We are happy that both Google and Cisco have mitigated this vulnerability in their resolver software. However, many old resolver software may still be vulnerable to tsuNAME, so we encourage resolver operators to follow our recommendations on our Security Advisory.” Researcher said.

Researchers has already use CycleHunter tool to analyse around 184 million domains based on seven TLDs, allowing them to detect 44 cyclic dependent NS records caused by the misconfiguration.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Exploit Microsoft Teams Invites to Gain Unauthorized Access

The Microsoft Threat Intelligence Center (MSTIC) has uncovered an ongoing and sophisticated phishing campaign...

Meta’s Bug Bounty Initiative Pays $2.3 Million to Security Researchers in 2024

Meta's commitment to cybersecurity took center stage in 2024 as the tech giant awarded...

Google Chrome Introduces AI to Block Malicious Websites and Downloads

Google has taken a significant step in enhancing internet safety by integrating artificial intelligence...

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Multiple Azure DevOps Vulnerabilities Let Inject CRLF Queries & Rebind DNS

Researchers uncovered several significant vulnerabilities within Azure DevOps, specifically focusing on potential Server-Side Request...

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

Hackers Hijacked ISP Service Provider To Poison Software Updates

⁤Hackers often attack ISP service providers for several illicit purposes. The most significant ones...