A group of researchers from Tel Aviv University and the Herzliya Interdisciplinary Center in Israel discovered a vulnerability in DNS serversthat could allow DDoS attacks with a gain of 1620x. According to experts, the vulnerability, called NXNSAttack, affects recursive DNS servers and the delegation process.
Recursive DNS servers are DNS systems that transmit upstream DNS queries so that they can be resolved and converted from a domain name to an IP address. These operations take place on authoritative DNS servers where a copy of the DNS record is stored. However, as part of the security mechanism of the DNS protocol, authoritative DNS servers can also delegate the operation to alternative DNS servers.
- The attacker sends a DNS query to the recursive DNS server. The request is intended for a domain of the type attacker.com, managed by an authoritative DNS server controlled by an attacker
- Since the recursive DNS server is not authorized to resolve this domain name, it delegates the operation to an attacker controlled by an authoritative DNS server
- The malicious DNS server responds with a message to the recursive DNS server, literally meaning "I am delegating this domain name resolution operation to a large list of servers." The list contains thousands of subdomains of the attacked website
- A recursive DNS server forwards the DNS query to all subdomains from the list, thereby causing a surge in traffic for the victim’s authoritative DNS server.