Israeli cybersecurity researchers shared the details about NXNSAttack which impacts recursive DNS servers and the process of DNS delegation. Several of the companies in charge of the internet infrastructure, including Cloudflare, Google, Amazon, Microsoft, Oracle-owned Dyn, Verisign, and IBM Quad9, have released patched to fix this bug.
The method of New NXNSattack
According to the researchers, controlling and acquiring a huge number of clients and a large number of authoritative NSs by an attacker is easy and cheap in practice. Their initial goal was to investigate the efficiency of recursive resolvers and their behavior under different attacks, and we ended up finding a new seriously looking vulnerability, the NXNSAttack.
Researchers explained in their research paper, saying,
“We show that the number of DNS messages exchanged in a typical resolution process might be much higher in practice than what is expected in theory, mainly due to a proactive resolution of name-servers’ IP addresses. We show how this inefficiency becomes a bottleneck and might be used to mount a devastating attack against either or both, recursive resolvers and authoritative servers.”
Attackers send a request for an attacker-controlled domain (e.to a vulnerable DNS resolving server, which would forward the DNS query to the attacker-controlled authoritative server. Then, it forwards the operation to the attacker’s malicious authoritative DNS server because the recursive DNS server is not authorized to resolve this domain.
The malicious DNS server replies to the recursive DNS server with a message that equates to “I’m delegating this DNS resolving operation to this large list of name servers.” Finally, the DNS server forwards the query to all the nonexistent subdomains on the list, creating a massive surge in traffic to the victim site. It is recommended that network administrators who run their own DNS servers update their DNS resolver software to the latest version.