Urgently patch your publicly available, recursive DNS server
Luckily few people need to run one. Right? Right??
A new vulnerability has been found in the design of the world's domain-name system that potentially can be exploited to flood websites off the internet. Dubbed NXNSAttack, the flaw [PDF] can be abused to pull off a classic amplification attack: you send a small amount of specially crafted data to a DNS server, which responds …
Authoritative isn't the issue. Recursion is.
It's a recursive DNS server that's vulnerable, because it can be used to cause problems for other authoritative DNS servers (by generating multiple queries to resolve the one it received).
Best practice says that authoritative servers should be configured to only respond for their domains, and not to resolve other domains at all. Like that, they can't be used to propagate this attack.
You're missing the point of the attack. The resolver at badguy.com is "misconfigured" on purpose--that is the attack.
The issue is that a recursive resolve typically resolves all of the name servers listed in a response in preparation for load balancing. The fix is to only resolve one per query.
"You're missing the point of the attack."
No, I'm not. The point of the attack is to persuade one innocent DNS server to overload another innocent DNS server, thereby creating two victims, one of whom is misled into thinking the other is a culprit.
"The resolver at badguy.com is "misconfigured" on purpose--that is the attack."
I'm not talking about what the bad actor is doing at all. I'm talking about what the good actors can do.
>> The attacker uses the authoritative that it owns to craft a response to a resolver with a referral that contains n new and non-existent name-server names ..., gets a DDoS attack on either the resolver or on a corresponding authoritative server, with an amplification factor of O(F) packets ... .
Sounds like a Cunning Plan.
> I sense a new El Reg unit of severity coming.
A scale from 1 to 5 like the you-know-what scale:
Level 1 - Safe. No need to worry. Feel free to worry more about rogue apostrohe's and double spaces after full-stops.
... through to ...
Level 5 - Critical. So severe, even Apple will respond to enquiries from El Reg
Level 5 is theoretically possible *but* has not been seen yet !!!
Rather like the ability to 'find' some theoretical elements, in chemistry, was dependant on technology improving to the point that very small amounts could be detected in very 'specific' conditions, which conventional techniques could not work in.
Biting the hand that feeds IT © 1998–2021