Security News > 2021 > May > New TsuNAME Flaw Could Let Attackers Take Down Authoritative DNS Servers
Security researchers Thursday disclosed a new critical vulnerability affecting Domain Name System resolvers that could be exploited by adversaries to carry out reflection-based denial-of-service attacks against authoritative nameservers.
"TsuNAME occurs when domain names are misconfigured with cyclic dependent DNS records, and when vulnerable resolvers access these misconfigurations, they begin looping and send DNS queries rapidly to authoritative servers and other resolvers," the researchers said.
To achieve this, it responds to a client's request for a web page by making a series of requests until it reaches the authoritative DNS nameserver for the requested DNS record.
The authoritative DNS server is akin to a dictionary that holds the exact IP address for the domain that's being looked up.
The idea is that misconfigurations during domain registration can create a cyclic dependency such that nameserver records for two zones point to each other, leading vulnerable resolvers to "Simply bounce back from zone to zone, sending non-stop queries to the authoritative servers of both parent zones," thereby overwhelming their parent zone authoritative servers.
To mitigate the impact of TsuNAME in the wild, the researchers have published an open-source tool called CycleHunter that allows for authoritative DNS server operators to detect cyclic dependencies.