Does Your DNS Recursion Really Time Out as Intended? A Timeout Vulnerability of DNS Recursive Servers

Abstract

Parallelization is featured by DNS recursive servers to do time-consuming recursions on behalf on clients. As common DNS configurations, recursive servers should allow a reasonable timeout for each recursion which may take as long as several seconds. However, it is proposed in this paper that recursion parallelization may be exploited by attackers to compromise the recursion timeout mechanism for the purpose of DoS or DDoS attacks. Attackers can have recursive servers drop early existing recursions in service by saturating recursion parallelization. The key of the proposed attack model is to reliably prolong service times for any attacking queries. As means of prolong service times, serval techniques are proposed to effectively avoiding cache hit and prolonging overall latency of external DNS lookups respectively. The impacts of saturated recursion parallelization on timeout are analytically provided. The testing on BIND servers demonstrates that with carefully crafted queries, an attacker can use a low or moderate level of query load to successfully overwhelm a target recursive server from serving the legitimate clients.