This could have been used to carry out denial-of-service attacks across the Internet, the company said in a statement.
The vulnerability, given the name TsuNAME, was spotted in February 2020 in the .nz registry.
The vulnerability needed cyclic dependent NS records and vulnerable resolvers to be exploited; user queries would serve to start or drive the process.
|
The problem was studied and replicated by experts from InternetNZ, SIDN Labs (the organisation running .nl), and the University of Southern California Information Science Institute (USC/ISI).
"Google Public DNS was the main affected party by this vulnerability," said InternetNZ's chief ccientist Sebastian Castro.
"They received a private responsible disclosure from our group in October 2020 and have repaired their code since then. We also reached out to Cisco, whose Public DNS was affected as well, and it is now fixed."
The research group has published a tool known as CycleHunter to check for the TsuNAME flaw. A security advisory and a technical paper have also been issued.