Researchers release open source tool to narrow down cyclic dependencies-related threat

What's TsuNAME? DDoS attack vector threatens authoritative DNS servers

Computer scientists have uncovered a flaw in some DNS resolvers that, left unresolved, might be abused to launch DDoS attacks against authoritative DNS servers.

The vulnerability – dubbed TsuNAME – has the potential to impair a core internet service, rendering at least portions of the net difficult to reach in the process.

“TsuNAME occurs when domain names are misconfigured with cyclic dependent DNS records, and when vulnerable resolvers access these misconfigurations, they begin looping and send DNS queries rapidly to authoritative servers and other resolvers,” the researchers explain in a paper (PDF) on the vulnerability.

Catch up on the latest DNS-related security news

Using real production data, the four researchers – Giovane Moura of SIDN Labs, Sebastian Castro and John Heidemann from InternetNZ, and Wes Hardaker of USC/ISI – showed how just two misconfigured domains led to a 50% increase on overall traffic volume for .nz’s authoritative servers.

Defending against TsuNAME requires changes to some recursive resolver software, by including loop detection codes and caching cyclic-dependent records.

Cycle of repair

The team have developed CycleHunter, an open-source tool that allows for authoritative DNS server operators to detect cyclic dependencies and therefore see exactly which systems need security remediation work to defend against potential attack.

Performing an analysis of 184 million domain names in seven large, top-level domains (TLDs), the researchers used to tool to find 44 cyclic-dependent NS records (likely from configuration errors) used by 1,400 domain names.

The team is working with resolver developers and many TLD operators to protect DNS systems against potential attack. Google Public DNS and Cisco OpenDNS have already been updated.

Cricket Liu, chief DNS architect at Infoblox, told The Daily Swig that while “TsuNAME is certainly serious” the community has “discovered and dealt with issues like this before.

“DNS servers already have mechanisms in place to protect themselves from *some* of these configurations, such as looping aliases, and adding a new mechanism to detect and cope with this one probably won't be difficult,” Liu explained.

Work to address TSuNAME is already well in hand, he added.

Liu said: “The paper says that OpenDNS and Google Public DNS have already fixed the problem. In addition, the most important DNS servers to patch are the Internet’s big open recursive DNS servers (such an Google Public DNS and Cloudflare), since those could be used by a bad guy to initiate a DDoS attack, and there aren't very many of those.”

Weapons grade

The researchers warn that a “well motivated adversary could easily weaponize this vulnerability” but Liu expressed scepticism on this point.

“I also think weaponizing TsuNAME seems somewhat difficult,” Liu told The Daily Swig. “The authors talk about setting up the problematic circular delegations, but they need to control the zones ‘on both sides’ to set them up. To attack some, delegated to, they'd need to control”

The Daily Swig asked both the researchers follow-up questions about the TsuNAME vulnerability. No word back yet, but we’ll update this story as and when more information comes to hand.

RELATED Time to update DNS servers to defend against brace of serious BIND vulnerabilities