A new vulnerability on DNS has been published today, called NXNSAttack.
Hopefully the patches for most vendors are already available. EfficientIP servers with DNS Guardian solution and incorporated “rescue mode” are already protected from the impact.
The vulnerability is very well documented by Lior Shafir, Yehuda Afek and Anat Bremler-Barr in this paper – http://www.nxnsattack.com/shafir2020-nxnsattack-paper.pdf
The opening abstract from the article is as follows:
ABSTRACT
The Domain Name System (DNS) infrastructure, a most critical system the Internet depends on, has re- cently been the target for different DDoS and other cyber-attacks, e.g., the notorious Mirai botnet.
While these attacks can be destructive to both recursive and authoritative DNS servers, little is known about how recursive resolvers operate under such attacks (e.g., NX- Domain, water-torture).
In this paper, we point out a new vulnerability and show an attack, the NXNSAttack, that exploits the way DNS recursive resolvers operate when receiving NS referral response that contains name- servers but without their corresponding IP addresses (i.e., missing glue-records).
We show that the number of DNS messages exchanged in a typical resolution process might be much higher in practice than what is expected in the- ory, mainly due to a proactive resolution of name-servers’ IP addresses.
We show how this inefficiency becomes a bottleneck and might be used to mount a devastating attack against either or both, recursive resolvers and authoritative servers.
The NXNSAttack is more effective than the NXDomain attack: i) It reaches an amplifica- tion factor of more than 1620x on the number of packets exchanged by the recursive resolver. ii) Besides the neg- ative cache, the attack also saturates the ‘NS’ resolver caches.
In an attempt to mitigate the attack impact, we propose enhancements to the recursive resolvers algo- rithm to prevent unnecessary proactive fetches.
Finally, we implement our Max1Fetch enhancement on the BIND resolver and show that Max1Fetch does not degrade the recursive resolvers performance, throughput and latency, by testing it on real-world traffic data-sets.
