TsuNAME – DNS Bug That Allow Hackers to DDoS Authoritative DNS Servers

Researchers encountered a new vulnerability named “TsuNAME” in DNS Servers that allows attackers to exploit DDoS authoritative DNS servers.

The TsuNAME bug specifically affects the DNS resolvers that lead to exploiting the authoritative servers due to recursive resolvers by sending an extremely large amount of queries to the targeted authoritative servers.

The recursive resolver is also known as the DNS recursor that sits in the middle of the client and the DNS nameserver for helping the DNS server to communicate with other DNS servers to find the IP address and return to the client who is trying to connect with any website through a browser.

How does Attackers Exploit TsuNAME Bug

To exploit the TsuNAME vulnerability, attackers will initiate a large amount of malicious queries to the authoritative DNS servers that contain a Cyclic Dependency, an NS configuration error.

It leads to affect the ccTLD, TLDs and carry out a large amount of DDoS attacks on the DNS servers and also potentially affecting country-specific services.

Researchers explained that there are 3 things should necessarily presents during the attack of the following:-

1. Cyclic dependent NS records
2. Vulnerable recursive resolvers
3. User queries to start/drive the process

During the investigation, researchers experience a large volume of traffic, roughly increase, from 800M to 1.2B daily queries ag .nz ccTLD(country code top-level domain).

According to the report “Upon investigation, the .nz operators determined that the cause of this surge in traffic was due to a configuration error in two domains only. The error was that the two domains were misconfigured with cyclic dependencies”

Soon after encountered this issue, the event only stopped after 16 days when .nz operators removing the cyclic dependency by removing the affected delegation.

“Due to TsuNAME bug, researchers also found that there is 50% traffic growth on .nz due to misconfiguration of 2 domains, and evident with an anonymous European ccTLD experienced 10x traffic growth when also two domains were misconfigured with cyclic dependencies.”

Mitigation for TsuNAME Vulnerability

There is 2 important security measure that recommended by the researchers To mitigate the traffic surge from resolvers to authoritative servers caused by the TsuNAME vulnerability.

• Do not loop in the presence of cyclic dependencies
• Cache the results of cyclic dependent records.

Also, Authoritative server operators can use the open-source tool called ” CycleHunter” to prevent their DNS server from TsuNAME and reduce the impact and being compromised by hackers.

“We are happy that both Google and Cisco have mitigated this vulnerability in their resolver software. However, many old resolver software may still be vulnerable to tsuNAME, so we encourage resolver operators to follow our recommendations on our Security Advisory.” Researcher said.

Researchers has already use CycleHunter tool to analyse around 184 million domains based on seven TLDs, allowing them to detect 44 cyclic dependent NS records caused by the misconfiguration.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.