The DNS delegation mechanism forces DNS resolvers to generate more DNS queries, which flaw is tagged as NXNSAttack, to authorize attacker's servers, thus causing a botnet-scale disruption to online services.
According to Israeli cybersecurity researchers, the new flaw impacts DNS protocol and can be exploited to launch large-scale distributed denial-of-service (DDoS) attacks on targeted websites.
The researchers promptly reported the flaw to the companies in charge of the internet infrastructure, which include CZ.NIC (CVE-2020-12667), PowerDNS (CVE-2020-10995), Google, Amazon, Microsoft, Cloudflare, Oracle-owned Dyn, Verisign, and IBM Quad9, who have responded with patches for their respective software.
How the NXNSAttack was carried Out
Through a recursive DNS lookup, a DNS server communicates with multiple authoritative DNS servers in a sequence to locate an IP address associated with a given domain (for instance, www.amazon.com) and return to the client.
And the resolver passes the request to an authoritative DNS name server, if unable to locate the IP address for a given domain name. But if first authoritative DNS name server doesn't hold the desired records, it returns the message with addresses to second authoritative servers.
It typically starts with DNS resolver controlled by public DNS servers, like Google (18.104.22.168) or Cloudflare (22.214.171.124), and whichever is configured with your system.
The researchers discovered that the large undesired overheads can be exploited to trick recursive resolvers to continuously send a large number of packets to a targeted domain instead of the legitimate authoritative servers. Though, the attacker must be in possession of an authoritative server to mount the attack from a recursive resolver.
How to Mitigate against the Attacks
The key factors of the attack are the ease with which one can control the authoritative name server, and the usage of nonexistent domain names and the extra redundancy placed in the DNS structure for fault tolerance and to achieve fast response time.
So, it's recommended that network admins who run their own DNS servers should update their DNS resolver software to the latest version.