Sep 6 – 7, 2023 Workshop
Meliá Danang Beach Resort
Asia/Ho_Chi_Minh timezone

Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS Servers

Sep 7, 2023, 12:00 PM
Meliá Danang Beach Resort

Meliá Danang Beach Resort

19 Trường Sa, Hoà Hải, Ngũ Hành Sơn, Đà Nẵng 550000, Vietnam
In-Person Standard Presentation OARC 41 Day 2


Fenglu Zhang (Tsinghua University)


Authoritative nameservers are delegated to provide the final resource record. Since the security and robustness of DNS are critical to the general operation of the Internet, domain owners often deploy multiple candidate nameservers for load balancing according to the requirement of DNS specifications (RFC 1034 and RFC 2182). Once the load balancing mechanism is compromised, an adversary can manipulate a large number of legitimate DNS requests to a specified candidate nameserver. As a result, it may bypass the defense mechanisms used to filter malicious traffic that can overload the victim nameserver, or lower the bar for DNS traffic hijacking and cache poisoning attacks.

In this study, we report on a class of DNS vulnerabilities and present a novel attack, named Disablance, that targets the domains with different NS records severing to multiple sites of authoritative servers. The attack is made possible by a prevalent misconfiguration of nameservers that ignores domains outside their authority, combined with the mainstream implementation of recursive resolvers that use a globally shared status for nameserver selection. By targeting authoritative nameservers configured by a large number of domains (e.g., the nameservers owned by DNS hosting services), Disablance allows adversaries to stealthily sabotage the DNS load balancing for authoritative nameservers at a low cost. By simply configuring the DNS records for a domain under their control to point to the targeted nameservers and performing a handful of requests, adversaries can temporarily manipulate a given DNS resolver to overload a specific authoritative server. Therefore, Disablance can redirect benign DNS requests for all hosted domains to the specific nameserver and disrupts the load balancing mechanism. Our extensive study proves the security threat of Disablance is realistic and prevalent. First, we demonstrated that mainstream DNS implementations, including BIND9, PowerDNS, and Microsoft DNS, are vulnerable to Disablance. Second, we developed a measurement framework to measure vulnerable authoritative servers in the wild. 22.24% of top 1M FQDNs and 3.94% of top 1M SLDs were proven can be the victims of Disablance. Our measurement results also show that 37.88% of stable open resolvers and 10 of 14 popular public DNS services can be exploited to conduct Disablance, including Cloudflare and Quad9. Furthermore, the critical security threats of Disablance were observed and acknowledged through in-depth discussion with a world-leading DNS service provider. We have reported discovered vulnerabilities and provided recommendations to the affected vendors. Until now, Tencent Cloud (DNSPod) and Amazon have taken action to fix this issue according to our suggestions.

Primary authors

Fenglu Zhang (Tsinghua University) Baojun Liu (Tsinghua University) Eihal Alowaisheq (King Saud University) Jianjun Chen (Tsinghua University; Zhongguancun Laboratory) Chaoyi Lu (Tsinghua University) Linjian Song (Alibaba Group) Yong Ma (Alibaba Group) Ying Liu (Tsinghua University) Haixin Duan (Tsinghua University; Quancheng Laboratory) Min Yang (Fudan University)

Presentation materials