Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



TsuNAME Vulnerability Can Be Exploited for DDoS Attacks on DNS Servers

Some DNS resolvers are affected by a vulnerability that can be exploited to launch distributed denial-of-service (DDoS) attacks against authoritative DNS servers, a group of researchers warned this week.

Some DNS resolvers are affected by a vulnerability that can be exploited to launch distributed denial-of-service (DDoS) attacks against authoritative DNS servers, a group of researchers warned this week.

The flaw, dubbed TsuNAME, was discovered by researchers at SIDN Labs (the R&D team of the registry for .nl domains), InternetNZ (the registry for .nz domains), and the Information Science Institute at the University of Southern California.

Impacted organizations have been notified and given 90 days to take action before the vulnerability was disclosed. Google and Cisco, both of which provide widely used DNS services, have deployed patches for TsuNAME, but the researchers believe many servers are still vulnerable to attacks.

An attacker can abuse recursive resolvers affected by TsuNAME to send a large volume of queries to targeted authoritative servers, such as the ones of TLD operators.

TsuNAME occurs on servers where there is cyclic dependency, a configuration error caused by the NS records for two zones pointing to each other.

“TsuNAME occurs when domain names are misconfigured with cyclic dependent DNS records, and when vulnerable resolvers access these misconfigurations, they begin looping and send DNS queries rapidly to authoritative servers and other resolvers,” the researchers explained in a paper detailing the vulnerability.

They also explained in a separate advisory, “Resolvers vulnerable to TsuNAME will send non-stop queries to authoritative servers that have cyclic dependent records. While one resolver is unlikely to overwhelm an authoritative server, the aggregated effect from many looping, vulnerable recursive resolvers may as well do.”

Advertisement. Scroll to continue reading.

Such an incident was observed in 2020, when authoritative servers for New Zealand’s .nz TLD saw an increase of 50 percent in queries. An analysis showed that the surge was caused by just two domains that were misconfigured with cyclic dependencies.

“Notice that a simple misconfiguration of two domains lead to 50% traffic growth. One may wonder what would happen if a motivated attack would carry out this with hundreds or thousands of domains,” the researchers said.

At least two other similar incidents were observed in the past years: one involving a European country code TLD (ccTLD), which recorded a tenfold traffic growth due to the incident; and one involving Google sending a large volume of queries to the servers of an anycast operator.

The researchers have shared recommendations for both authoritative server operators and resolver software developers, and they have also released an open source tool, named CycleHunter, that can be used by organizations to detect problematic configurations.

A dedicated website has been set up for the TsuNAME vulnerability.

Related: At Least 100 Million Devices Affected by “NAME:WRECK” DNS Flaws in TCP/IP Stacks

Related: NSA, DHS Issue Guidance on Protective DNS

Related: CISA Reminds Federal Agencies to Use Its DNS Service

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.