Cryptology ePrint Archive: Report 2020/722

NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities

Yehuda Afek and Anat Bremler-Barr and Lior Shafir

Abstract: This paper exposes a new vulnerability and introducesa corresponding attack, the NoneXistent Name ServerAttack (NXNSAttack), that disrupts and may paralyzethe DNS system making it difficult or impossible for In-ternet users to access websites, web e-mail, online videochats, or any other online resource. The NXNSAttackgenerates a storm of packets between DNS resolvers andDNS authoritative name servers. The storm is producedby the response of resolvers to unrestricted referral re-sponse messages of authoritative name servers. Theattack is significantly more destructive than NXDomainattacks (e.g., the Mirai attack): i) It reaches an am-plification factor of more than 1620x on the numberof packets exchanged by the recursive resolver. ii) Inaddition to the negative cache, the attack also satu-rates the ‘NS’ resolver caches. To mitigate the attackimpact, we propose an enhancement to the recursiveresolver algorithm, MaxFetch(k), that prevents unnec-essary proactive fetches. We implemented MaxFetch(1)mitigation enhancement on a BIND resolver and testedit on real-world DNS query datasets. Our results showthat MaxFetch(1) degrades neither the recursive resolverthroughput nor its latency. Following the discovery of theattack, a responsible disclosure procedure was carriedout, and several DNS vendors and public providers haveissued a CVE and patched their systems.

Category / Keywords: implementation / DNS, DDoS attack, Random attack

Original Publication (with minor differences): USENIX Security 2020

Date: received 15 Jun 2020, last revised 22 Jun 2020

Contact author: yehuda afek at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20200623:054831 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]