NXNSAttack: upgrade resolvers to stop new kind of random subdomain attack

[Posted May 19, 2020 by jake]

CZ.NIC staff member Petr Špaček has a blog post describing a newly disclosed DNS resolver vulnerability called NXNSAttack. It allows attackers to abuse the delegation mechanism to create a denial-of-service condition via packet amplification. "This is so-called glueless delegation, i.e. a delegation which contains only names of authoritative DNS servers (a.iana-servers.net. and b.iana-servers.net.), but does not contain their IP addresses. Obviously DNS resolver cannot send a query to “name”, so the resolver first needs to obtain IPv4 or IPv6 address of authoritative server 'a.iana-servers.net.' or 'b.iana-servers.net.' and only then it can continue resolving the original query 'example.com. A'. This glueless delegation is the basic principle of the NXNSAttack: Attacker simply sends back delegation with fake (random) server names pointing to victim DNS domain, thus forcing the resolver to generate queries towards victim DNS servers (in a futile attempt to resolve fake authoritative server names)." At this time, Ubuntu has updated its BIND package to mitigate the problem; other distributions will no doubt follow soon. More details can also be found in the paper [PDF].

NXNSAttack: upgrade resolvers to stop new kind of random subdomain attack

Posted May 20, 2020 7:00 UTC (Wed) by bangert (subscriber, #28342) [Link] (5 responses)

Have attacks using this vulnerability been seen in the wild? It sounds like a novel approach.

If this is the case, can we assume, that the risk of an attack is deemed to be low, since they chose to publicize this, before popular DNS implementations (like Google, quad9, cloudflare and ICANN) had fixes in place?

If the risk is low, then what's all the fuss about?

Good to see that some of the more complex/contentious parts of DNSSEC now seem to pay off.

NXNSAttack: upgrade resolvers to stop new kind of random subdomain attack

Posted May 20, 2020 10:22 UTC (Wed) by pspacek (subscriber, #96790) [Link] (4 responses)

Researchers followed responsible disclosure protocol and allowed vendors to implement and release mitigation before making the attack public. Now it is up to operators to upgrade.

NXNSAttack: upgrade resolvers to stop new kind of random subdomain attack

Posted May 21, 2020 3:38 UTC (Thu) by pabs (subscriber, #43278) [Link] (3 responses)

I guess bangert's point is that responsible disclosure should now also include waiting for large global monopolies to roll out the updates, since they are similar to just another vendor.

NXNSAttack: upgrade resolvers to stop new kind of random subdomain attack

Posted May 21, 2020 8:16 UTC (Thu) by pspacek (subscriber, #96790) [Link] (2 responses)

I'm not sure how we got to the idea they did not upgrade yet... Please elaborate and ideally suggest how to improve message directly to researchers. Their e-mails are in the paper - https://cyber-security-group.cs.tau.ac.il/dns-ns-paper.pdf.

NXNSAttack: upgrade resolvers to stop new kind of random subdomain attack

Posted May 21, 2020 8:26 UTC (Thu) by pabs (subscriber, #43278) [Link] (1 responses)

I guess because the vuln website doesn't mention the status for DNS providers, just for DNS server software.

NXNSAttack: upgrade resolvers to stop new kind of random subdomain attack

Posted May 22, 2020 6:36 UTC (Fri) by pspacek (subscriber, #96790) [Link]

I see. Web https://cyber-security-group.cs.tau.ac.il/ now explicitly mentions that public resolvers got their fixes deployed.