Does Your DNS Recursion Really Time Out as Intended? A Timeout Vulnerability of DNS Recursive Servers
This exposes a critical security flaw in DNS infrastructure that could disrupt internet services for users and organizations.
The paper identifies a vulnerability in DNS recursive servers where attackers can exploit recursion parallelization to bypass timeout mechanisms, enabling DoS/DDoS attacks with low query loads, as demonstrated on BIND servers.
Parallelization is featured by DNS recursive servers to do time-consuming recursions on behalf on clients. As common DNS configurations, recursive servers should allow a reasonable timeout for each recursion which may take as long as several seconds. However, it is proposed in this paper that recursion parallelization may be exploited by attackers to compromise the recursion timeout mechanism for the purpose of DoS or DDoS attacks. Attackers can have recursive servers drop early existing recursions in service by saturating recursion parallelization. The key of the proposed attack model is to reliably prolong service times for any attacking queries. As means of prolong service times, serval techniques are proposed to effectively avoiding cache hit and prolonging overall latency of external DNS lookups respectively. The impacts of saturated recursion parallelization on timeout are analytically provided. The testing on BIND servers demonstrates that with carefully crafted queries, an attacker can use a low or moderate level of query load to successfully overwhelm a target recursive server from serving the legitimate clients.