NRDelegationAttack: Complexity DDoS attack on DNS Recursive Resolvers

Yehuda Afek, Anat Bremler-Barr, Shani Stajnrod
Usenix Security ,
Conferences & Workshops
DDoS attack, DNS security


Malicious actors carrying out distributed denial-of-service (DDoS) attacks are interested in requests that consume a large amount of resources and provide them with ammunition. We present a severe complexity attack on DNS resolvers, where a single malicious query to a DNS resolver can significantly increase its CPU load. Even a few such concurrent queries can result in resource exhaustion and lead to a denial of its service to legitimate clients. This attack is unlike most recent DDoS attacks on DNS servers, which use communication amplification attacks where a single query generates a large number of message exchanges between DNS servers.

The attack described here involves a malicious client whose request to a target resolver is sent to a collaborating malicious authoritative server; this server, in turn, generates a carefully crafted referral response back to the (victim) resolver. The chain reaction of requests continues, leading to the delegation of queries. These ultimately direct the resolver to a server that does not respond to DNS queries. The exchange generates a long sequence of cache and memory accesses that dramatically increase the CPU load on the target resolver. Hence the name non-responsive delegation attack, or NRDelegationAttack.

We demonstrate that three major resolver implementations, BIND9, Unbound, and Knot, are affected by the NRDelegationAttack, and carry out a detailed analysis of the amplification factor on a BIND9 based resolver. As a result of this work, three common vulnerabilities and exposures (CVEs) regarding NRDelegationAttack were issued by these resolver implementations. We also carried out minimal testing on 16 open resolvers, confirming that the attack affects them as well.


April 3, 2023
CVE-2022-2795 Bind
April 2, 2023
CVE-2022-3204 Unbound
April 3, 2023
CVE-2022-40188 Knot

Supplemental Material

April 5, 2023
USENIX’23 Artifact Appendix: NRDelegationAttack: Complexity DDoSattack on DNS Recursive Resolvers


title={NRDelegationAttack: Complexity DDoS attack on DNS Recursive Resolvers},

author={Afek, Yehuda and Bremler-Barr, Anat and Stajnrod, Shani},