InternetNZ discloses a vulnerability that can be used to carry out cyberattacks
InternetNZ is proud to disclose a vulnerability against authoritative DNS servers such as the ones run by top-level domain (TLD) operators, like .nz. This vulnerability could be exploited to carry out Denial-of-Service (DoS) attacks across the world.
The vulnerability called TsuNAME was noticed in February 2020 in the .nz registry. We worked with the global community to have it fixed to make the Internet a better place.
TsuNAME requires three things to be exploited:
- cyclic dependent NS records,
- vulnerable resolvers,
- user queries only to start/drive the process.
In February 2020, two .nz domains were unintentionally misconfigured with cyclic dependencies, which resulted in a 50% surge in DNS traffic for all .nz infrastructure.
Later, this phenomenon was studied and replicated by an international group of researchers from InternetNZ, SIDN Labs (our counterpart from the Netherlands, the organisation running .nl), and the University of Southern California Information Science Institute (USC/ISI).
Further tests showed that conditions for an attack event are easy to execute, and the consequences are serious.
“Google Public DNS was the main affected party by this vulnerability,” says InternetNZ’s Chief Scientist Sebastian Castro.
“They received a private responsible disclosure from our group in October 2020 and have repaired their code since then. We also reached out to Cisco, whose Public DNS was affected as well, and it is now fixed.”
During February 2021, the group reached out privately to the DNS and registry community, including other country code top-level domains (ccTLDs), to make them aware of the vulnerability and to be prepared.
The TsuNAME group developed a security advisory paper and an open-source detection tool called Cycle Hunter, and TLDs all around the world have been using it to detect and remove cyclic dependencies.
“This underground work of months shows our organisations’ commitment to a better Internet, where issues that can affect others are identified and fixed. Our work is not finished yet,” concludes Castro.