What’s so bad about the NXNSAttack DNS Amplification Attack?
How did NXNSAttack Against DNS Services get Noticed?
In May 2020, the NXNSAttack was identified as a new DDoS attack on DNS servers by the cybersecurity researchers at Tel Aviv University. The NXNSAttack exploits the vulnerability at recursive DNS resolvers and triggers an amplification attack to other recursive DNS servers and authoritative DNS servers by up to 1,620 times the original resolution request. Such a high amplification factor should concern DNS infrastructure owners and DNS server managers.
How does NXNSAttack Impact DNS Services?
In a typical recursive DNS name resolution process, the authoritative DNS server could return an IP address to the hostname in the DNS query to the recursive DNS resolver, or return an NS referral response to further delegate the name resolution task. In case of receiving the IP address, the recursive DNS resolver sends the resolved IP address toward the client and completes this name resolution process. In case of receiving an NS referral response, the recursive DNS resolver follows the delegation and sends the original DNS query to the delegated DNS server to complete the name resolution. However, not every NS referral response contains the delegated DNS server and its IP address (glue record). To resolve the IP address of the delegated DNS server, the recursive DNS resolver has to start one additional name resolution before it can complete the original one.
As detailed in the NXNSAttack paper issued by the research team, the vulnerability occurs if the NS referral response comes with a long list of delegated DNS servers but without any glue records. That weaponizes the recursive DNS resolver to send out lots of new DNS queries, which is known as amplification DDoS attack. To exploit this vulnerability, the attacker can set up an authoritative DNS server to respond to any query with a long list of delegated DNS servers but without glue records. The delegated DNS server list could contain various subdomain DNS servers of one domain if the attacker is trying to victimize a specific domain, or any DNS servers if the attacker is trying to bring down the entire DNS infrastructure. The attacker can initiate this NXNSAttack by instructing a couple of malicious bots to send out DNS queries for the domain name of the attacker-controlled authoritative DNS server and attack the victim DNS service with hundreds or thousands times more of the initial malicious DNS queries.
What Options do we Have to Counter NXNSAttack?
As suggested by the research team, DNS software vendors and service providers can adopt several measures to protect against the NXNSAttack and prevent their DNS servers from being used in NXNSAttack. However, it is not safe to assume these measures are sufficient. DNS infrastructure owners and DNS server managers should implement their DDoS protection solution to defend their DNS services from NXNSAttack. The following DNS defense strategies should be considered:
- Block fake zone queries
- Limit FQDN structure
- Limit FQDN query rate
- Limit queries rate by source spoof check
- DNS Authoritative Cache
- Zero-day attack pattern recognition
How A10 Can Help
Even though NXNSattack is a new type of DNS amplification attack, A10 Thunder® Threat Protection System (TPS®) can deploy the defense strategies listed above to protect against this type of cyberattack, and all other DDoS attacks that could bring down your DNS services.