CVE-2020-10995: PowerDNS Recursor DoS Vulnerability

CVE-2020-10995 Overview

PowerDNS Recursor from version 4.1.0 up to and including 4.3.0 contains a vulnerability that does not sufficiently defend against amplification attacks. This DNS protocol weakness allows malicious parties to use recursive DNS services to attack third-party authoritative name servers, commonly known as the NXNSAttack. The attack leverages crafted replies from authoritative name servers to amplify traffic between recursive resolvers and other authoritative name servers, causing performance degradation on both types of DNS services.

Critical Impact

Attackers can exploit vulnerable PowerDNS Recursor instances to amplify DNS traffic, potentially causing denial of service conditions against authoritative name servers and degrading recursive resolver performance.

Affected Products

• PowerDNS Recursor versions 4.1.0 through 4.3.0
• Fedora 31 and 32
• Debian Linux 10.0
• openSUSE Backports SLE 15.0 SP1
• openSUSE Leap 15.1

Discovery Timeline

• 2020-05-19 - CVE-2020-10995 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2020-10995

Vulnerability Analysis

This vulnerability exploits a fundamental weakness in the DNS protocol's handling of NS (Name Server) records containing random subdomains in the NSDNAME field. When a recursive resolver receives a DNS query, it follows the delegation chain by querying authoritative name servers. The NXNSAttack exploits this behavior by having a malicious authoritative server respond with NS records pointing to numerous non-existent subdomains of a victim's domain.

The recursive resolver, following standard DNS resolution procedures, will then attempt to resolve each of these non-existent name server hostnames by querying the victim's authoritative servers. This creates a significant amplification effect, as a single crafted response can trigger multiple queries from the recursive resolver to the victim's infrastructure.

The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption), as it allows attackers to consume excessive computational and network resources on both the recursive resolver and targeted authoritative name servers.

Root Cause

The root cause lies in the DNS protocol itself and PowerDNS Recursor's handling of NS record delegations. The software did not implement sufficient rate limiting or validation mechanisms to prevent abuse through excessive delegation responses. When receiving NS records with random subdomain NSDNAME values, the resolver would dutifully attempt to resolve each one without considering the potential for amplification abuse.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker sets up a malicious authoritative name server and registers a domain pointing to it. When victims query this domain through a vulnerable PowerDNS Recursor, the malicious server responds with NS records containing numerous random subdomains of the target victim's domain.

The attack flow involves DNS query manipulation where an attacker controls an authoritative DNS server that responds with crafted NS records. These records contain NSDNAME fields with random subdomains (e.g., random1.victim.com, random2.victim.com, etc.), forcing the recursive resolver to generate multiple queries to resolve these non-existent hostnames against the victim's authoritative servers.

Detection Methods for CVE-2020-10995

Indicators of Compromise

• Unusual spikes in outbound DNS queries from recursive resolvers to specific authoritative name servers
• High volume of NXDOMAIN responses indicating queries for non-existent subdomains
• Increased CPU and memory utilization on PowerDNS Recursor instances during attack periods
• Network traffic patterns showing repeated queries to the same authoritative domain with random subdomain patterns

Detection Strategies

• Monitor DNS query logs for abnormal patterns of NS record lookups with randomized subdomain components
• Implement traffic analysis to detect amplification patterns where single inbound queries generate multiple outbound queries
• Configure alerting on unusual query-per-second rates to authoritative name servers
• Deploy network flow analysis to identify asymmetric DNS traffic patterns indicative of amplification abuse

Monitoring Recommendations

• Enable verbose logging on PowerDNS Recursor to capture NS record delegation chains
• Implement DNS query rate monitoring with baseline deviation alerting
• Monitor bandwidth utilization on DNS infrastructure for sudden increases
• Track resolver cache behavior for unusual delegation chain patterns

How to Mitigate CVE-2020-10995

Immediate Actions Required

• Upgrade PowerDNS Recursor to version 4.1.16, 4.2.2, or 4.3.1 or later immediately
• Review DNS infrastructure for signs of amplification abuse
• Implement rate limiting on recursive resolver responses if upgrade is not immediately possible
• Monitor DNS traffic for anomalous patterns during the upgrade window

Patch Information

PowerDNS has released patched versions that include mitigations to limit the impact of this DNS protocol issue. The following versions contain the security fix:

• PowerDNS Recursor 4.1.16
• PowerDNS Recursor 4.2.2
• PowerDNS Recursor 4.3.1

For detailed patch information, refer to the PowerDNS Security Advisory 2020-01. Distribution-specific patches are available through Debian Security Advisory DSA-4691, Fedora package repositories, and openSUSE security updates.

Workarounds

• Implement DNS response rate limiting (RRL) on authoritative servers to reduce amplification impact
• Configure firewall rules to limit outbound DNS query rates from recursive resolvers
• Deploy DNS traffic monitoring to detect and block suspicious query patterns
• Consider implementing DNS resolver access controls to limit who can use the recursive service

# Example: Upgrade PowerDNS Recursor on Debian-based systems
apt-get update
apt-get install pdns-recursor

# Verify installed version
pdns_recursor --version