research-article

Public Access

TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS

Authors:

Giovane C. M. Moura,

Sebastian Castro,

John Heidemann, and

Wes HardakerAuthors Info & Claims

IMC '21: Proceedings of the 21st ACM Internet Measurement Conference

November 2021

Pages 398 - 418

https://doi.org/10.1145/3487552.3487824

Published: 02 November 2021 Publication History

Abstract

TheInternet's Domain Name System (DNS) is a part of every web request and e-mail exchange, so DNS failures can be catastrophic, taking out major websites and services. This paper identifies TsuNAME, a vulnerability where some recursive resolvers can greatly amplify queries, potentially resulting in a denial-of-service to DNS services. TsuNAME is caused by cyclical dependencies in DNS records. A recursive resolver repeatedly follows these cycles, coupled with insufficient caching and application-level retries greatly amplify an initial query, stressing authoritative servers. Although issues with cyclic dependencies are not new, the scale of amplification has not previously been understood. We document real-world events in .nz (a country-level domain), where two misconfigured domains resulted in a 50% increase on overall traffic. We reproduce and document root causes of this event through experiments, and demostrate a 500× amplification factor. In response to our disclosure, several DNS software vendors have documented their mitigations, including Google public DNS and Cisco OpenDNS. For operators of authoritative DNS services we have developed and released CycleHunter, an open-source tool that detects cyclic dependencies and prevents attacks. We use CycleHunter to evaluate roughly 184 million domain names in 7 large, top-level domains (TLDs), finding 44 cyclic dependent NS records used by 1.4k domain names. The TsuNAME vulnerability is weaponizable, since an adversary can easily create cycles to attack the infrastructure of a parent domains. Documenting this threat and its solutions is an important step to ensuring it is fully addressed.

References

[1]

1.1.1.1. 2018. The Internet's Fastest, Privacy-First DNS Resolver. https://1.1.1.1/. https://1.1.1.1/

[2]

Gautam Akiwate, Mattijs Jonker, Raffaele Sommese, Ian Foster, Geoffrey M. Voelker, Stefan Savage, and KC Claffy. 2020. Unresolved Issues: Prevalence, Persistence, and Perils of Lame Delegations. In Proceedings of the ACM Internet Measurement Conference (Virtual Event, USA) (IMC '20). Association for Computing Machinery, New York, NY, USA, 281--294.

Digital Library

[3]

Mark Allman. 2018. Comments on DNS Robustness. In Proceedings of the Internet Measurement Conference 2018 (Boston, MA, USA) (IMC '18). Association for Computing Machinery, New York, NY, USA, 84--90.

Digital Library

[4]

M. Andrews. 1998. Negative Caching of DNS Queries (DNS NCACHE). RFC 2308. IETF. http://tools.ietf.org/rfc/rfc2308.txt

[5]

Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In Proceedings of the 26th USENIX Security Symposium. USENIX. Vancouver, BC, Canada, 1093--1110. https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf

Digital Library

[6]

ISC BIND. 2021. TsuNAME DNS Vulnerability and BIND 9. https://www.isc.org/blogs/2021_tsuname_vulnerability/.

[7]

Jonas Bushart and Christian Rossow. 2018. DNS Unchained: Amplified Application-Layer DoS Attacks Against DNS Authoritatives. In Research in Attacks, Intrusions, and Defenses, Michael Bailey, Thorsten Holz, Manolis Stamatogiannakis, and Sotiris Ioannidis (Eds.). Springer International Publishing, Cham, 139--160.

[8]

Sebastian Castro, Duane Wessels, Marina Fomenkov, and Kimberly Claffy. 2008. A day at the root of the Internet. ACM Computer Communication Review 38, 5 (Oct. 2008), 41--46.

Digital Library

[9]

cert.gov. 2021. Vulnerability Disclosure Policy. https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy.

[10]

CycleHunter. 2021. GitHub - SIDN/CycleHunter: Python software that reads zone files, extract NS records, and detect cyclic dependencies. https://github.com/SIDN/CycleHunter.

[11]

CZ-NIC. 2021. Knot DNS. https://www.knot-dns.cz/

[12]

Peter B. Danzig, Katia Obraczka, and Anant Kumar. 1992. An Analysis of Wide-Area Name Server Traffic: A study of the Domain Name System. In Proceedings of the ACM SIGCOMM Conference (johnh: folder: networking/dns). ACM, Baltimore, Mayrland, USA, 281--292.

Digital Library

[13]

Wouter B. De Vries, Roland Van Rijswijk-Deij, Pieter Tjerk De Boer, and Aiko Pras. 2018. Passive Observations of a Large DNS Service: 2.5 Years in the Life of Google. In 2018 Network Traffic Measurement and Analysis Conference (TMA). IEEE, United States.

[14]

Batya Friedman, David G. Hendry, and Alan Borning. 2017. A Survey of Value Sensitive Design Methods. Foundations and Trends® in Human-Computer Interaction 11, 2 (2017), 63--125.

Digital Library

[15]

Google. 2020. Public DNS. https://developers.google.com/speed/public-dns/. https://developers.google.com/speed/public-dns/

[16]

Google Project Zero. 2021. Vulnerability Disclosure FAQ. https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html.

[17]

Kenneth Einar Himma, Herman T Tavani, et al. 2008. The handbook of information and computer ethics. Wiley Online Library.

[18]

P. Hoffman, A. Sullivan, and K. Fujiwara. 2018. DNS Terminology. RFC 8499. IETF. http://tools.ietf.org/rfc/rfc8499.txt

[19]

ICANN. 2020. Centralized Zone Data Service. https://czds.icann.org/.

[20]

Internet Assigned Numbers Authority (IANA). 2020. Root Files. https://www.iana.org/domains/root/files.

[21]

Internetstiftelsen. 2020. Zone Data. https://zonedata.iis.se/.

[22]

ISC. 2021. BIND 9. https://www.isc.org/bind/.

[23]

Georgios Kambourakis, Tassos Moschos, Dimitris Geneiatakis, and Stefanos Gritzalis. 2007. A Fair Solution to DNS Amplification Attacks. In Proceedings of the Second IEEE International Workshop on Digital Forensics and Incident Analysis (WDFIA). IEEE, 38--47.

[24]

Aqsa Kashaf, Vyas Sekar, and Yuvraj Agarwal. 2020. Analyzing Third Party Service Dependencies in Modern Web Services: Have We Learned from the Mirai-Dyn Incident?. In Proceedings of the ACM Internet Measurement Conference (Virtual Event, USA) (IMC '20). Association for Computing Machinery, New York, NY, USA, 634--647.

Digital Library

[25]

A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. 1993. Common DNS Implementation Errors and Suggested Fixes. RFC 1536. IETF. http://tools.ietf.org/rfc/rfc1536.txt

[26]

M. Larson and P. Barber. 2006. Observed DNS Resolution Misbehavior. RFC 4697. IETF. http://tools.ietf.org/rfc/rfc4697.txt

[27]

P.V. Mockapetris. 1987. Domain names - concepts and facilities. RFC 1034. IETF. http://tools.ietf.org/rfc/rfc1034.txt

[28]

P.V. Mockapetris. 1987. Domain names - implementation and specification. RFC 1035. IETF. http://tools.ietf.org/rfc/rfc1035.txt

[29]

Giovane C. M. Moura. 2021. OARC Members Only Session: Vulnerability Disclosure (DDoS). https://indico.dns-oarc.net/event/37/contributions/821/. https://indico.dns-oarc.net/event/37/contributions/821/

[30]

Giovane C. M. Moura, Sebastian Castro, Wes Hardaker, Maarten Wullink, and Cristian Hesselman. 2020. Clouding up the Internet: How Centralized is DNS Traffic Becoming?. In Proceedings of the ACM Internet Measurement Conference (Virtual Event, USA) (IMC '20). Association for Computing Machinery, New York, NY, USA, 42--49.

Digital Library

[31]

Giovane C. M. Moura, Sebastian Castro, John Heidemann, and Wes Hardaker. 2021. tsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS. Technical Report 2021-01. SIDN Labs. https://tsuname.io/tech_report.pdf. https://doi.org/paper.pdf

[32]

Giovane C. M. Moura, Ricardo de O. Schmidt, John Heidemann, Wouter B. de Vries, Moritz Müller, Lan Wei, and Christian Hesselman. 2016. Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. In Proceedings of the ACM Internet Measurement Conference. ACM, Santa Monica, California, USA, 255--270.

Digital Library

[33]

Giovane C. M. Moura, John Heidemann, Ricardo de O. Schmidt, and Wes Hardaker. 2019. Cache Me If You Can: Effects of DNS Time-to-Live. In Proceedings of the ACM Internet Measurement Conference. ACM, Amsterdam, the Netherlands, 101--115.

Digital Library

[34]

Giovane C. M. Moura, John Heidemann, Moritz Müller, Ricardo de O. Schmidt, and Marco Davids. 2018. When the Dike Breaks: Dissecting DNS Defenses During DDoS. In Proceedings of the ACM Internet Measurement Conference. ACM, Boston, MA, USA, 8--21.

Digital Library

[35]

Giovane C. M. Moura, John Heidemann, Moritz Müller, Ricardo de O. Schmidt, and Marco Davids. 2018. When the Dike Breaks: Dissecting DNS Defenses During DDoS (extended). Technical Report ISI-TR-725. USC/Information Sciences Institute. https://www.isi.edu/%7ejohnh/PAPERS/Moura18a.html

[36]

NL Netlabs. 2021. UNBOUND. https://www.nlnetlabs.nl/projects/unbound/about/.

[37]

NLnetLabs. 2021. tsuNAME vulnerability and Unbound. https://nlnetlabs.nl/news/2021/May/10/tsuname-vulnerability-and-unbound/.

[38]

OpenDNS. 2021. Setup Guide: OpenDNS. https://www.opendns.com/. https://www.opendns.com/

[39]

Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, and Lixia Zhang. 2004. Impact of Configuration Errors on DNS Robustness. SIGCOMM Comput. Commun. Rev. 34, 4 (Aug. 2004), 319--330.

Digital Library

[40]

Nicole Perlroth. 2016. Hackers Used New Weapons to Disrupt Major Websites Across U.S. New York Times (Oct. 22 2016), A1. http://www.nytimes.com/2016/10/22/business/internet-problems-attack.html

[41]

PowerDNS. 2021. Changelogs for all pre 4.0 releases. https://doc.powerdns.com/recursor/changelog/pre-4.0.html.

[42]

PowerDNS. 2021. TsuNAME vulnerability and PowerDNS Recursor. https://blog.powerdns.com/2021/05/10/tsuname-vulnerability-and-powerdns-recursor/.

[43]

Quad9. 2018. Quad9 | Internet Security & Privacy In a Few Easy Steps. https://quad9.net.

[44]

Audrey Randall, Enze Liu, Gautam Akiwate, Ramakrishna Padmanabhan, Geoffrey M. Voelker, Stefan Savage, and Aaron Schulman. 2020. Trufflehunter: Cache Snooping Rare Domains at Large Public DNS Resolvers. In Proceedings of the ACM Internet Measurement Conference (Virtual Event, USA) (IMC '20). Association for Computing Machinery, New York, NY, USA, 50--64.

Digital Library

[45]

Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, and E. Lear. 1996. Address Allocation for Private Internets. RFC 1918. IETF. http://tools.ietf.org/rfc/rfc1918.txt

[46]

RIPE NCC. 2021. RIPE Atlas Measurement IDS. https://atlas.ripe.net/measurements/ID., where ID is the experiment ID: New Domain:25666966, Recurrent:25683316, One-off-AfterGoogle: 29078085, RecurrentAfterGoogle: 29099244, probe52196:29491104, TripeDep:29559226, CNAME: 29560025.

[47]

RIPE NCC Staff. 2015. RIPE Atlas: A Global Internet Measurement Network. Internet Protocol Journal (IPJ) 18, 3 (Sep 2015), 2--26.

[48]

RIPE Network Coordination Centre. 2020. RIPE Atlas. https://atlas.ripe.net.

[49]

RIPE Network Coordination Centre. 2020. RIPE Atlas - Raw data structure documentations, https://atlas.ripe.net/docs/data_struct/.

[50]

Root Server Operators. 2015. Events of 2015-11-30. http://root-servers.org/news/events-of-20151130.txt.

[51]

Root Server Operators. 2020. Root DNS. http://root-servers.org/.

[52]

Root Zone file. 2020. Root. http://www.internic.net/domain/root.zone.

[53]

Kyle Schomp, Tom Callahan, Michael Rabinovich, and Mark Allman. 2013. On measuring the client-side DNS infrastructure. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference. ACM, 77--90.

Digital Library

[54]

SIDN Labs. 2020. ENTRADA - DNS Big Data Analytics. https://entrada.sidnlabs.nl/.

[55]

Raffaele Sommese, Leandro Bertholdo, Gautam Akiwate, Mattijs Jonker, van Rijswijk-Deij, Roland, Alberto Dainotti, KC Claffy, and Anna Sperotto. 2020. MAnycast2---Using Anycast to Measure Anycast. In Proceedings of the ACM Internet Measurement Conference. ACM, Pittsburgh, PA, USA.

Digital Library

[56]

Suzanne Goldlust. 2018. Using the Response Rate Limiting Feature. https://kb.isc.org/docs/aa-00994.

[57]

S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. 2003. DNS Extensions to Support IP Version 6. RFC 3596. IETF. http://tools.ietf.org/rfc/rfc3596.txt

[58]

Sipat Triukose, Zakaria Al-Qudah, and Michael Rabinovich. 2009. Content Delivery Networks: Protection or Threat?. In Computer Security - ESORICS 2009, Michael Backes and Peng Ning (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 371--389.

[59]

Roland van Rijswijk-Deij, Anna Sperotto, and Aiko Pras. 2014. DNSSEC and Its Potential for DDoS Attacks: a comprehensive measurement study. In Proceedings of the 2014 ACM Conference on Internet Measurement Conference (IMC). ACM, 449--460.

Digital Library

[60]

Duane Wessels and Marina Fomenkov. 2003. Wow, That's a Lot of Packets. In Proceedings of the Passive and Active Measurement Workshop. https://www.caida.org/publications/papers/2003/dnspackets/wessels-pam2003.pdf

[61]

Chris Williams. 2019. Bezos DDoS'd: Amazon Web Services' DNS systems knackered by hours-long cyber-attack. https://www.theregister.co.uk/2019/10/22/aws_dns_ddos/.

[62]

D. Wing and A. Yourtchenko. 2012. Happy Eyeballs: Success with Dual-Stack Hosts. RFC 6555. IETF. http://tools.ietf.org/rfc/rfc6555.txt

[63]

S. Woolf and D. Conrad. 2007. Requirements for a Mechanism Identifying a Name Server Instance. RFC 4892. IETF. http://tools.ietf.org/rfc/rfc4892.txt

[64]

Maarten Wullink, Giovane CM Moura, Moritz Müller, and Cristian Hesselman. 2016. ENTRADA: A high-performance network traffic data streaming warehouse. In Network Operations and Management Symposium (NOMS), 2016 IEEE/IFIP. IEEE, 913--918.

Digital Library

Cited By

Afek YBremler-Barr AStajnrod SCalandrino JTroncoso C(2023)NRDelegationAttackProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620416(3187-3204)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620416
Moura GHeidemann J(2023)Vulnerability Disclosure Considered StressfulACM SIGCOMM Computer Communication Review10.1145/3610381.361038353:2(2-10)Online publication date: 19-Jul-2023
https://dl.acm.org/doi/10.1145/3610381.3610383
Liu SDuan HHeimes LBearzi MVieli JBasin DPerrig ASchulzrinne HKohler EMaltz DMisra V(2023)A Formal Framework for End-to-End DNS ResolutionProceedings of the ACM SIGCOMM 2023 Conference10.1145/3603269.3604870(932-949)Online publication date: 10-Sep-2023
https://dl.acm.org/doi/10.1145/3603269.3604870
Show More Cited By

Recommendations

Collaborative Client-Side DNS Cache Poisoning Attack
IEEE INFOCOM 2019 - IEEE Conference on Computer Communications
DNS poisoning attacks inject malicious entries into the DNS resolution system, allowing an attacker to redirect clients to malicious servers. These attacks typically target a DNS resolver allowing attackers to poison a DNS entry for all machines that use ...
Read More
A Distributed Security Approach against ARP Cache Poisoning Attack
CySSS '22: Proceedings of the 1st Workshop on Cybersecurity and Social Sciences

The Address Resolution Protocol (ARP) has a critical function in the Internet protocol suite, however, it was not designed for security as it does not verify that a response to an ARP request really comes from an authorized party. This weak point in the ...
Read More
D-ward: source-end defense against distributed denial-of-service attacks
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '21: Proceedings of the 21st ACM Internet Measurement Conference

November 2021

768 pages

ISBN:9781450391290

DOI:10.1145/3487552

General Chairs:
Dave Levin
University of Maryland
,
Alan Mislove
Northeastern University
,
Program Chairs:
Johanna Amann
International Computer Science Institute
,
Matthew Luckie
University of Waikato

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Conference

IMC '21

Sponsor:

IMC '21: ACM Internet Measurement Conference

November 2 - 4, 2021

Virtual Event

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
709
Total Downloads

Downloads (Last 12 months)301
Downloads (Last 6 weeks)48

Other Metrics

View Author Metrics

Citations

Cited By

Afek YBremler-Barr AStajnrod SCalandrino JTroncoso C(2023)NRDelegationAttackProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620416(3187-3204)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620416
Moura GHeidemann J(2023)Vulnerability Disclosure Considered StressfulACM SIGCOMM Computer Communication Review10.1145/3610381.361038353:2(2-10)Online publication date: 19-Jul-2023
https://dl.acm.org/doi/10.1145/3610381.3610383
Liu SDuan HHeimes LBearzi MVieli JBasin DPerrig ASchulzrinne HKohler EMaltz DMisra V(2023)A Formal Framework for End-to-End DNS ResolutionProceedings of the ACM SIGCOMM 2023 Conference10.1145/3603269.3604870(932-949)Online publication date: 10-Sep-2023
https://dl.acm.org/doi/10.1145/3603269.3604870
Xu WLi XLu CLiu BDuan HZhang JChen JWan TMeng WJensen CCremers CKirda E(2023)TsuKing: Coordinating DNS Resolvers and Queries into Potent DoS AmplifiersProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616668(311-325)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616668
Nosyk YKorczyński MDuda A(2022)Routing Loops as Mega Amplifiers for DNS-Based DDoS AttacksPassive and Active Measurement10.1007/978-3-030-98785-5_28(629-644)Online publication date: 28-Mar-2022
https://dl.acm.org/doi/10.1007/978-3-030-98785-5_28

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents