Researchers warn of unfixable DNS denial of service NXNSAttack

Israeli security researchers have discovered an unfixable vulnerability in one of the fundamentals of the worldwide domain name system (DNS) that can be abused to launch potentially overwhelming denial of service attacks.

Lior Shafir and Yehuda Afek, both of Tel Aviv University and Anat Bremler-Barr of the Herzliya Interdisciplinary Centre published their findings on the DNS vulnerabilty, which they called NXNSAttack after disclosing it to vendors to give them time to develop patches.

The NXNSAttack takes advantage of a weakness in the so-called glueless delegation in the DNS, in which queries return names of servers that are authoritative for a domain, but not their internet protocol addresses.

An attacker with a malicious DNS server can respond with a delegation that contains fake, random authoritative server names.

These server names are set to point to a victim domain, which forces the resolver to generate further queries that are sent to the target DNS server which is unable to resolve them.

This is how standards-compliant DNS servers should operate, but the consequences of NXNSAttack can be denial of service floods with a very high packet amplification factor of up to 1621 times.

Open source and proprietary DNS servers that currently serve the global internet infrastructure are affected and need patching.

This includes DNS resolvers such as the Internet Software Consortium's BIND, and also proprietary ones used by cloud and web services providers such as Google, Microsoft, Amazon Web Services, and Cloudflare which have now received patches.

However, the patches do not fix the vulnerability, and only provide mitigation against NXNSAttack by adding limits on the amount of retries for name service resolution.

"Unfortunately NXNSAttack abuses the very basic principle of DNS protocol, which practically means there is no fix, only mitigation," Petr Špaček of the Czech Republic domain name administrator who collaborated with the Israeli researchers wrote.

Špaček noted that while on the surface mitigation techniques such as limiting the number of names resolved while processing single delegations appear simple to implement, they could break resolution for some domains.

Adding arbitrary limits on resolution retries could cause problems for the esitimated four per cent of second-level domains that have issues with their delegation from top-level domains (TLDs) such as .com and .net.

"In [the] upcoming days we will see how successful vendors were in determining their magic numbers and if they get away without breaking any major domains," Špaček said.