tsuNAME vulnerability and Unbound

Published: Mon 10 May 2021
Last updated: Thu 18 April 2024

Last week, SIDN Labs, InternetNZ and USC/ISI researchers announced the vulnerability called tsuNAME [1]. With the analysis of the impact of tsuNAME, the researchers have also evaluated a number of open source DNS software, including Unbound. In their research they have assessed that Unbound is not vulnerable to the tsuNAME attack [2] (Section 5.1).

Cyclic dependencies in name servers

With the design and implementation of Unbound, the specific case of cyclic dependencies in name servers for a domain was already considered. [RFC1536] also mentions recursion bugs in Section 2 of the document.

In a so-called exploration phase, Unbound will discover name servers for a domain name and caches the results of the NS record lookups. In this exploration phase, Unbound has implemented both cycle detection and for the TTL of the cached NS records it will not send any further queries to upstream servers. This behaviour prevents further lookups and annuls a potential tsuNAME attack, and as such Unbound cannot be made instrumental in facilitating a DDoS attack on authoritative name servers.

general news