back to article DNS this week stands for Drowning Needed Services: Design flaw in name server system can be exploited to flood machines offline

A new vulnerability has been found in the design of the world's domain-name system that potentially can be exploited to flood websites off the internet. Dubbed NXNSAttack, the flaw [PDF] can be abused to pull off a classic amplification attack: you send a small amount of specially crafted data to a DNS server, which responds …

  1. Bronek Kozicki Silver badge
    Paris Hilton

    Urgently patch your publicly available, recursive DNS server

    Luckily few people need to run one. Right? Right??

    1. hmv Silver badge

      Re: Urgently patch your publicly available, recursive DNS server

      Er ... "publicly available /authoritative/ DNS server". Whole different beast and whilst it's relatively rare, there's still quite a few out there.

      1. Steve Foster

        Re: Urgently patch your publicly available, recursive DNS server

        Authoritative isn't the issue. Recursion is.

        It's a recursive DNS server that's vulnerable, because it can be used to cause problems for other authoritative DNS servers (by generating multiple queries to resolve the one it received).

        Best practice says that authoritative servers should be configured to only respond for their domains, and not to resolve other domains at all. Like that, they can't be used to propagate this attack.

        1. hmv Silver badge

          Re: Urgently patch your publicly available, recursive DNS server

          Yep. On closer inspection - I was distracted by the flames on the victim's authoritative servers and the imminent start of Yet Another Meeting.

        2. Claptrap314 Silver badge

          Re: Urgently patch your publicly available, recursive DNS server

          You're missing the point of the attack. The resolver at badguy.com is "misconfigured" on purpose--that is the attack.

          The issue is that a recursive resolve typically resolves all of the name servers listed in a response in preparation for load balancing. The fix is to only resolve one per query.

          1. Steve Foster

            Re: Urgently patch your publicly available, recursive DNS server

            "You're missing the point of the attack."

            No, I'm not. The point of the attack is to persuade one innocent DNS server to overload another innocent DNS server, thereby creating two victims, one of whom is misled into thinking the other is a culprit.

            "The resolver at badguy.com is "misconfigured" on purpose--that is the attack."

            I'm not talking about what the bad actor is doing at all. I'm talking about what the good actors can do.

  2. poohbear

    "The danger is severe enough that it got the attention of Microsoft." ... I sense a new El Reg unit of severity coming.

    1. John Robson Silver badge

      Rather surprised they didn't say it affected the protocol rather than MS servers...

      Yes it does affect MS servers, but only because DNS is trusted by design.

      This is protocol abuse, rather than software abuse.

    2. 2+2=5 Silver badge
      Joke

      > I sense a new El Reg unit of severity coming.

      A scale from 1 to 5 like the you-know-what scale:

      Level 1 - Safe. No need to worry. Feel free to worry more about rogue apostrohe's and double spaces after full-stops.

      ... through to ...

      Level 5 - Critical. So severe, even Apple will respond to enquiries from El Reg

      1. RM Myers
        Unhappy

        Level 5 - Critical. So severe, even Apple will respond to enquiries from El Reg

        Are you saying that level 4 is the maximum level possible, short of water crystallizing in a certain very warm place?

        1. Anonymous Coward
          Anonymous Coward

          Re: Level 5 - Critical. So severe, even Apple will respond to enquiries from El Reg

          Level 5 is theoretically possible *but* has not been seen yet !!!

          Rather like the ability to 'find' some theoretical elements, in chemistry, was dependant on technology improving to the point that very small amounts could be detected in very 'specific' conditions, which conventional techniques could not work in.

          1. katrinab Silver badge

            Re: Level 5 - Critical. So severe, even Apple will respond to enquiries from El Reg

            Apple have responded to two queries from El Reg, but they were on very minor matters that were left to an intern who hadn't read the memo.

            1. IGotOut
              Mushroom

              Re: Level 5 - Critical. So severe, even Apple will respond to enquiries from El Reg

              Shouldn't it be a reverse scale. So an Apple rep actually talking to El Reg, would be a 1 as in DefCon 1.

          2. robidy Silver badge
            Trollface

            Re: Level 5 - Critical. So severe, even Apple will respond to enquiries from El Reg

            It has, usually to refuse El Reg access to PR events...seems a level 5 incident to me.

    3. Robert Carnegie Silver badge
      Joke

      The severity scale already runs from 0 as in 0 Day to 10 as in Windows 10.

      So if just depends whether you consider Windows 10 itself to be a Common Vulnerability. :-)

  3. Anonymous Coward
    Anonymous Coward

    Has this kicked off another round of djb discussing how terrible DNS server software is?

    1. brotherelf
      Alert

      He might be preoccupied with the RCE in qmail that seems to be a "surely this won't ever be larger than X (until it is)".

  4. Anonymous Coward
    Anonymous Coward

    She?

    " When the attacker generates many such referral responses repeatedly, ***SHE*** gets a DDoS attack on either the resolver or on a corresponding authoritative server, with an amplification factor of O(F) packets, sometimes much larger than F."

    Ahhh women to blame again.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020