TsuNAME Vulnerability can be Used to Carry out DDoS Attacks on Key DNS Servers


If you register a sufficient number of recursive DNS servers, you can carry out DDoS attacks against authoritative DNS servers.

A team of researchers reported vulnerabilities in the DNS ecosystem, allowing traffic to and directed to authoritative DNS servers to be amplified and DDoS attacks against those servers.

The vulnerability, dubbed tsuNAME, was discovered when New Zealand and Dutch national domain registrars (.nz and .nl) detected anomalies in DNS traffic passing through their authoritative servers.

In order to understand how the vulnerability works, you need to know the difference between an authoritative and recursive DNS server. Currently, most servers on the Web are recursive - they forward DNS queries from users to authoritative DNS servers that act as a kind of phone book and return DNS responses for specific domain names. Under normal circumstances, millions of recursive DNS servers send billions of DNS queries to authoritative DNS servers every day.

Authoritative DNS servers are typically run by large companies and organizations like content delivery networks, tech giants, ISPs, domain registrars, and government agencies.

The researchers explained that an attacker could create malicious DNS queries that exploit vulnerabilities in the recursive DNS server software in order to send malicious queries to authoritative DNS servers in a continuous loop. If an attacker registers a sufficient number of recursive DNS servers, they can carry out fairly powerful DDoS attacks against authoritative DNS servers.

Get all the details about the tsuNAME from this paper [pdf].