2min. read

What is an NXNSAttack?

The NoneXistent Name Server Attack (NXNSAttack) can paralyze a DNS system, making it impossible for users to access internet resources. Here’s what you need to know about this new attack.

The domain name system (DNS) is the protocol that translates a domain name, e.g., paloaltonetworks.com, to an IP address—in this case, 199.167.52.137. DNS is ubiquitous across the internet; without it, we would have to memorize the strings of IP addresses. But DNS has also suffered from a number of vulnerabilities and cyberattacks in recent years. One new attack, called NoneXistent Name Server Attack (NXNSAttack), exploits a vulnerability first exposed by a group of academics. 

An NXNSAttack impacts the recursive DNS resolvers, which are part of the DNS resolution (or “DNS lookup”) process. DNS resolvers pass the end users’ DNS queries to the authoritative name servers, which return the IP strings back to the DNS resolvers and ultimately to the end users. The DNS protocol has a safety mechanism built in, which allows the authoritative servers to delegate the DNS lookup to alternative servers. This is the mechanism the NXNSAttack exploits. 

Below are the steps of the attack in simple terms.

  1. The attacker sends a DNS query (or multiple DNS queries with the help of bots) to a DNS resolver for a domain such as attack[.]com. 

  2. The DNS resolver, which isn’t authorized to solve the query, forwards it to an authoritative server, which is owned or compromised by the attacker. Owning large numbers of authoritative servers isn’t difficult. Once the attackers register a domain, in this example attack[.]com, they can associate it with any authoritative server on the internet. 

  3. The compromised authoritative server replies to the recursive DNS resolver that it will delegate the lookup request to a large list of alternative servers. The list can contain thousands of subdomains for the victim website. 

  4. The DNS resolver forwards the DNS query to all the subdomains, creating a surge of traffic for the victim’s authoritative server. The massive traffic can crash the victim’s DNS resolver.

Once a company’s DNS resolver is crashed, it will no longer respond to requests from users. The website, e-commerce, video chats, support and other web services will be unavailable. 

Patches have been released to prevent attackers from flooding DNS servers. One of the protections against an NXNSAttack, therefore, is to keep the DNS resolver software updated to the latest version. 

For more on NXNSAttacks, visit https://www.paloaltonetworks.com/network-security/dns-security.html.