[technology taskforce] NXNSAttack - vulnerability that exploits the way DNS recursive resolvers operate

Dev Anand Teelucksingh devtee at gmail.com
Thu May 21 11:03:33 UTC 2020

"The NXNSAttack is a new vulnerability that exploits the way DNS recursive
resolvers operate when receiving NS referral response that contains
nameservers but without their corresponding IP addresses (i.e., missing
glue-records). The number of DNS messages exchanged in a typical resolution
process might be much higher in practice than what is expected in theory,
mainly due to a proactive resolution of name-servers’ IP addresses. This
inefficiency becomes a bottleneck and might be used to mount a devastating
attack against either or both, recursive resolvers and authoritative
servers. The NXNSAttack is more effective than the NXDomain attack: i) It
reaches an amplification factor of more than 1620x on the number of packets
exchanged by the recursive resolver. ii) Besides the negative cache, the
attack also saturates the ’NS’ resolver caches.

A responsible coordinated disclosure procedure has been performed following
the discovery of the NXNSAttack described in the paper below. Several DNS
software vendors and service providers have adopted measures to protect
against the destructive measures of the NXNSAttack."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ttf/attachments/20200521/8082dcaa/attachment.html>

More information about the ttf mailing list