Flaws in the Delegation Process
DNS servers, the phone books of the internet may have DNS recursive servers that pass on the DNS queries to their superior servers for resolving. And these superior severs are the administrative servers that have a copy of the DNS records, and resolves it. Sometimes, as a security practice, these administrative servers can delegate the resolving process to alternative DNS systems too. And this is the point of attack for adversaries here. Academics from the Tel Aviv University of Israel explained how attackers can leverage these loopholes of the delegation process to compromise DNS servers. This starts with sending a general DNS query to a recursive DNS server. To note, the domain request made will be something that’s managed by an attacker-controlled authoritative DNS server. As the recursive DNS server isn’t authorized to resolve that domain, it will be forwarded to the attacker’s malicious authoritative DNS server for resolving. And that malicious DNS server replies as “I’m delegating this DNS resolving operation to this large list of name servers” to the recursive DNS server. This leads the recursive DNS server to forward that DNS query to all the subdomains on its list, creating a spike in traffic towards the victim’s authoritative DNS server. Upon successfully doing so, the sudden surge traffic will eventually crash the website, accepting no more resolving requests from genuine visitors.
Impacted Softwares and Patches
Patches are available from all these vendors released this week and in past. And academics urge DNS admins to update to patch as soon as possible. Via: ZDNet