CVE-2022-3204, known as the Non-Responsive Delegation Attack (NRDelegation Attack), is a vulnerability affecting DNS resolving software, specifically the NLnet Labs Unbound DNS resolver. The attack exploits the way DNS resolvers handle delegations with multiple non-responsive nameservers. An attacker configures a malicious delegation containing a significant number of unresponsive NS records. When a resolver queries for a DNS record under this delegation, it attempts to contact these non-responsive nameservers repeatedly. This behavior causes the resolver to consume excessive time and computational resources, leading to degraded performance and potentially denial of service (DoS). While some resolver implementations suffer from high CPU usage due to continuous cache lookups for resolved NS records, Unbound does not experience high CPU load but still expends considerable resources trying to resolve the malicious delegation until internal hard limits are reached. To mitigate this, from version 1.16.3 onwards, Unbound introduced improvements that reduce opportunistic queries for nameserver discovery and DNSKEY prefetching and limit the number of cache lookups per delegation point. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and has a CVSS v3.1 score of 7.5 (high severity), reflecting its potential to cause denial of service without impacting confidentiality or integrity. No known exploits are currently reported in the wild, but the attack vector is straightforward and does not require authentication or user interaction, making it a credible threat to DNS infrastructure relying on vulnerable Unbound versions or similar resolvers.

For European organizations, this vulnerability poses a significant risk to the availability and reliability of DNS resolution services, a critical component of network infrastructure. DNS resolver degradation or denial of service can disrupt access to internal and external resources, impacting business operations, communications, and online services. Organizations relying on Unbound as their DNS resolver, including ISPs, enterprises, and government agencies, may experience service interruptions or degraded network performance during an attack. Given the foundational role of DNS in internet and intranet connectivity, such disruptions could cascade into broader operational challenges. Additionally, the attack could be leveraged as part of a larger distributed denial of service (DDoS) campaign or to amplify other network attacks. The absence of confidentiality or integrity impact limits the threat to availability, but availability is critical for operational continuity. The fact that exploitation requires no privileges or user interaction increases the risk profile, especially for public-facing DNS resolvers or those exposed to untrusted networks.

European organizations should ensure that all Unbound DNS resolver deployments are updated to version 1.16.3 or later, which includes performance improvements and limits to mitigate the NRDelegation Attack. Network administrators should audit their DNS infrastructure to identify and isolate any resolvers running vulnerable versions. Implementing rate limiting and query timeout configurations can help reduce resource exhaustion during suspicious query patterns. Monitoring resolver performance metrics and DNS query logs for anomalies such as repeated queries to unresponsive nameservers or unusual query volumes can provide early detection of attack attempts. Where possible, deploying DNS resolvers behind firewalls or access controls to restrict exposure to untrusted networks can reduce attack surface. Organizations should also consider using DNS resolver software that has implemented similar mitigations against NRDelegation attacks. Collaboration with upstream DNS providers to filter or block malicious delegations may further reduce risk. Finally, integrating DNS resolver health checks and failover mechanisms can help maintain service availability during attack conditions.