NXNSAttack: upgrade resolvers to stop new kind of random subdomain attack
([Security] May 19, 2020 19:04 UTC (Tue) (jake))
- Reference: 0000820876
- News link: https://lwn.net/Articles/820876
- Source link:
CZ.NIC staff member Petr Špaček has a [1]blog post describing a newly disclosed DNS resolver vulnerability called [2]NXNSAttack . It allows attackers to abuse the delegation mechanism to create a denial-of-service condition via packet amplification. " This is so-called glueless delegation, i.e. a delegation which contains only names of authoritative DNS servers (a.iana-servers.net. and b.iana-servers.net.), but does not contain their IP addresses. Obviously DNS resolver cannot send a query to “name”, so the resolver first needs to obtain IPv4 or IPv6 address of authoritative server 'a.iana-servers.net.' or 'b.iana-servers.net.' and only then it can continue resolving the original query 'example.com. A'. This glueless delegation is the basic principle of the NXNSAttack: Attacker simply sends back delegation with fake (random) server names pointing to victim DNS domain, thus forcing the resolver to generate queries towards victim DNS servers (in a futile attempt to resolve fake authoritative server names). " At this time, Ubuntu has updated its BIND package to mitigate the problem; other distributions will no doubt follow soon. More details can also be found in the [3]paper [PDF] .
[1] https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/
[2] http://www.nxnsattack.com/
[3] http://www.nxnsattack.com/dns-ns-paper.pdf
[1] https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/
[2] http://www.nxnsattack.com/
[3] http://www.nxnsattack.com/dns-ns-paper.pdf