DNS servers are responsible for converting the requests we make from the browser (for example, when writing “www.adslzone.net”) to the IP address of the server so that we can establish the connection. Nowadays it would be impossible to conceive an Internet without them, since no one is going to memorize the IPs of the servers they want to access. And much less with the rise of IPv6. But one vulnerability almost wiped out the entire network of DNS servers on the planet, and would have wiped out the Internet as we know it.
For more than two decades, a security flaw has been present in the design of DNSSEC, the security extensions of DNS. This security flaw has been called “KeyTrap”, and has been discovered by the National Research Center for Applied Cybersecurity ATHENE, with the help of other IT experts and researchers from Goethe University Frankfurt, Fraunhofer SIT and Darmstadt Technique.
What KeyTrap is like and why it is so dangerous
The DNSSEC is in charge of validating the keys of the DNS servers to guarantee that the IP that they resolve for a domain corresponds to the real IP that is expected and that it has not been impersonated by hackers. To do this, all keys are sent, even if some are not correct, to all servers to guarantee their validation. Although not everyone uses this security measure when making their DNS queries, it is estimated that 30% of users around the world do have it activated.
What the KeyTrap flaw discovered by these researchers does is increase two million times the number of instructions that the server’s CPU must process before resolving and sending the IP address to the person who requested it. This increase can cause a single DNS request to take between 56 seconds and 16 hours to resolve. With a single packet sent to the DNS server. Let’s imagine what would happen with millions of requests sent from a botnet at the same time.
Researchers have shown that this security flaw affects all DNS servers, including those of Google (8.8.8.8), IBM (9.9.9.9) and Cloudflare (1.1.1.1), the most well-known and used. If it had exploded, the DNS servers would have stopped working, leaving the Internet practically unusable worldwide. It would even have knocked down other security measures on the network, such as anti-spam filters, public key infrastructures (PKI) and even other security systems such as RPKI.
Despite this, and having been considered “the worst DNS attack in history”, they have only given this security flaw a “High” dangerousness rating, with a 3.1 out of 7.5 points. Too little considering that the attack could have taken down the Internet for days worldwide.
DNS bug fixed
Luckily, this vulnerability fell into the hands of security researchers rather than hackers. And since late 2023 they have been working with major internet companies to not only fix the vulnerability, but also to mitigate potential similar vulnerabilities in the future.
Akamai, for example, has implemented a series of DNSi recursive resolvers within its network, in addition to other techniques, such as CacheServe and AnswerX, which are managed from the cloud. This way they will be protected against similar DoS attacks in the future. Google and Cloudflare have also implemented these security measures, followed by the rest of the domain name servers.
Now, KeyTrap is nothing more than history, an anecdote of something very serious that could have happened if it had fallen into the wrong hands, just as happened with Heartbleed or Log4j.
