By registering a sufficient number of recursive DNS servers and exploiting the TsuNAME vulnerability, DDoS attacks can be launched against authoritative DNS servers.
A team of researchers reported vulnerabilities in the DNS ecosystem, allowing amplification of traffic that is directed to authoritative DNS servers, therefore making possible DDoS attacks against those servers.The vulnerability, dubbed tsuNAME, was discovered when New Zealand and Dutch national domain registrars (.nz and .nl) detected anomalies in DNS traffic passing through their authoritative servers.
The Internet Domain Name System (DNS) is one of the main services on the Internet. Each visit to a web page requires a series of DNS queries, and major DNS failures can have cascading consequences, leading to the unavailability of essential websites and services.
In order to understand how the vulnerability works, it is necessary to know the difference between an authoritative and recursive DNS server. Currently, most servers on the Web are recursive – they forward DNS queries from users to authoritative DNS servers that act as a kind of phone book and return DNS responses for specific domain names. Under normal circumstances, millions of recursive DNS servers send billions of DNS queries to authoritative DNS servers every day.
Authoritative DNS servers are typically run by large companies and organizations like content delivery networks, tech giants, ISPs, domain registrars, and government agencies.
The researchers explained that an attacker could create malicious DNS queries that exploit vulnerabilities in the recursive DNS server software in order to send malicious queries to authoritative DNS servers in a continuous loop.
If an attacker registers a sufficient number of recursive DNS servers, they can carry out fairly powerful DDoS attacks against authoritative DNS servers.
Let me remind you that we also talked about: The attackers changed the DNS settings for 180,000 routers.