Researchers Discover New DNS Vulnerability With Nation-State Spying Capabilities

Recently, a new DNS vulnerability was discovered. According to researchers, the flaw can give hackers nation-state spying abilities and access information on personal and corporate networks. This vulnerability holds major impacts on DNS-as-a Service providers. 

Researchers from Wiz, a cloud infrastructure security company, examined the vulnerability through an Amazon Route 53 and discovered the attack method. They said, “We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google”.

The researchers claimed that the flaw can affect private and governmental agencies all over the world. “The dynamic DNS traffic we ‘wiretapped’ came from over 15,000 organisations, including Fortune 500 companies, 45 U.S. government agencies, and 85 international government agencies,” Wiz stated.

Furthermore, the hack could lead to DNS hijacking attacks. The research shows that one can link a domain name (such as to an Amazon S3 bucket (whose host resides in Route 53) and then create a change record and associate it to a domain name. This allows an attacker to redirect traffic from their own domain name, bypassing the protections put in place by AWS. 

“Whenever a DNS client queries this name server about itself (which thousands of devices do automatically to update their IP address within their managed network – more on that in a minute), that traffic goes directly to our IP address,” the Wiz researchers stated. 

Possible Impact of the New DNS Vulnerability 

Based on the test carried out, the Wiz Researchers allegedly received DNS traffic from over 15,000 organizations. The data they received included IP addresses, office locations, and usernames.

Researchers say the issue is related to an algorithm that Windows devices use to find and update a master DNS server when IP addresses change. “[The leaked traffic] gives anyone a bird’s eye view on what’s happening inside companies and governments. We liken this to having nation-state level spying capability, and getting it was as easy as registering a domain,” the Wiz researchers stated.

The potential impact of a cyber-attack was demonstrated when the researchers used the harvested data from traffic of over 40,0000 servers to map where employees of a major services company live.

The data received also included employee details and sensitive information on the organization’s infrastructure. With the information found in the majority of corporate websites, a threat actor can have it all — an overview of all employees, locations, structures, and other things that could be used to breach a network.

Researchers at Black Hat said, “The impact is huge. Out of six major DNSaaS providers we examined, three were vulnerable to nameserver registration. Any cloud provider, domain registrar, and website host who provides DNSaaS could be vulnerable.”

The researchers added that there is no evidence the DNS vulnerability was previously exploited in the wild. However, anyone with knowledge of it and some skills could have abused it for more than a decade.

Fixing the DNS Vulnerability

After Amazon and Google were notified, they fixed the flaw. However, Wiz researchers believe other DNS providers could be vulnerable and could expose millions to the attack.

The researchers also notified Microsoft, but they responded saying it was a “known misconfiguration that occurs when an organization works with external DNS resolvers,” and not a vulnerability.

Since Microsoft, which can tweak the dynamic DNS algorithm already claims it is not a vulnerability. It is, therefore, unclear who should fix this critical DNS bug. 

Wiz says that service providers could take some steps to prevent data leakage and DDOS attack. Organizations can prevent data leakage by properly configuring their DNS resolvers.

Redmond’s recommendation is to use different DNS names and zones for internal and external hosts and follow the instructions on how to properly configure Dynamic Updates in Windows. This will reduce the risk of conflicts and make it easier for computers on your local network to resolve their DNS settings automatically.

Managed DNS providers can also fix the DNS hijacking issue by verifying and validating domains before asking customers to register them. Furthermore, they can follow the RFC’s “reserved names” spec to prevent it.

Companies with rented DNS servers can prevent leaks on their internet network traffic by updating their dynamic DNS and modifying the default Start-of-Authority (SOA) record.


Wiz Researchers discovered a new DNS flaw that can cause DDOS attacks. It was tested and proven to have the capability of nation-state spying. The flaw can impact businesses, individuals as well as government agencies. It can release sensitive information about employees and disrupt businesses. Amazon and Google fixed the issue on their system, but Microsoft insists that there is no vulnerability. 

Wiz researchers advised organizations to update their DNS and take cybersecurity seriously to prevent DDOS attacks. 

Related Posts