Does Your DNS Recursion Really Time Out as Intended? A Timeout Vulnerability of DNS Recursive Servers

TL;DR

This paper reveals a vulnerability in DNS recursive servers where attackers can exploit parallelization to cause DoS or DDoS attacks by manipulating recursion timeouts, demonstrated through analysis and testing on BIND servers.

Contribution

It identifies a novel timeout vulnerability in DNS recursive servers that can be exploited via parallelization to disrupt legitimate service.

Findings

Attackers can use crafted queries to overload DNS servers.

Parallelization can be exploited to prolong recursion times.

Vulnerability demonstrated on BIND servers.

Abstract

Parallelization is featured by DNS recursive servers to do time-consuming recursions on behalf on clients. As common DNS configurations, recursive servers should allow a reasonable timeout for each recursion which may take as long as several seconds. However, it is proposed in this paper that recursion parallelization may be exploited by attackers to compromise the recursion timeout mechanism for the purpose of DoS or DDoS attacks. Attackers can have recursive servers drop early existing recursions in service by saturating recursion parallelization. The key of the proposed attack model is to reliably prolong service times for any attacking queries. As means of prolong service times, serval techniques are proposed to effectively avoiding cache hit and prolonging overall latency of external DNS lookups respectively. The impacts of saturated recursion parallelization on timeout are analytically provided. The testing on BIND servers demonstrates that with carefully crafted queries, an attacker can use a low or moderate level of query load to successfully overwhelm a target recursive server from serving the legitimate clients.