Ghost Domain Names: Revoked Yet Still Resolvable

Attackers often use domain names for various malicious purposes such as phishing, botnet command and control, and malware propagation. An obvious strategy for preventing these activities is deleting the malicious domain from the upper level DNS servers. In this paper, we show that this is insufficient. We demonstrate a vulnerability affecting the large majority of popular DNS implementations which allows a malicious domain name to stay resolvable long after it has been removed from the upper level servers. Our experiments with 19,045 open DNS servers show that even one week after a domain name has been revoked and its TTL expired, more than 70% of the servers will still resolve it. Finally, we discuss several strategies to prevent this attack.

[1]  Niels Provos,et al.  Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority , 2008, NDSS.

[2]  Steven M. Bellovin,et al.  Using the Domain Name System for System Break-ins , 1995, USENIX Security Symposium.

[3]  Tyler Moore,et al.  Examining the impact of website take-down on phishing , 2007, eCrime '07.

[4]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[5]  Randy Bush,et al.  Clarifications to the DNS Specification , 1997, RFC.

[6]  Paul Vixie Preventing Child Neglect in DNSSECbis Using Lookaside Validation (DLV) , 2005, IEICE Trans. Commun..

[7]  Paul Vixie,et al.  DNS and BIND Security Issues , 1995, USENIX Security Symposium.

[8]  Daniel Massey,et al.  Quantifying the operational status of the DNSSEC deployment , 2008, IMC '08.

[9]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[10]  Nick Feamster,et al.  Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[11]  Vern Paxson,et al.  On the Potential of Proactive Domain Blacklisting , 2010, LEET.

[12]  Sandeep Yadav,et al.  Detecting algorithmically generated malicious domain names , 2010, IMC '10.

[13]  Wenke Lee,et al.  Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces , 2009, 2009 Annual Computer Security Applications Conference.

[14]  Lawrence K. Saul,et al.  Beyond blacklists: learning to detect malicious web sites from suspicious URLs , 2009, KDD.

[15]  Daniel Massey,et al.  Impact of configuration errors on DNS robustness , 2004, IEEE Journal on Selected Areas in Communications.

[16]  Scott Rose,et al.  Resource Records for the DNS Security Extensions , 2005, RFC.

[17]  Vitaly Shmatikov,et al.  The Hitchhiker's Guide to DNS Cache Poisoning , 2010, SecureComm.

[18]  Lei Chen,et al.  An empirical study of orphan DNS servers in the internet , 2010, IMC '10.

[19]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[20]  Xiapu Luo,et al.  Recursive DNS Architectures and Vulnerability Implications , 2009, NDSS.

[21]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[22]  Samuel Weiler DNSSEC Lookaside Validation (DLV) , 2007, RFC.

[23]  Tyler Moore,et al.  The consequence of non-cooperation in the fight against phishing , 2008, 2008 eCrime Researchers Summit.

[24]  Daniel Massey,et al.  Deploying and Monitoring DNS Security (DNSSEC) , 2009, 2009 Annual Computer Security Applications Conference.

[25]  Xin Chen,et al.  Maintaining Strong Cache Consistency for the Domain Name System , 2007, IEEE Transactions on Knowledge and Data Engineering.

[26]  Lixia Zhang,et al.  Zone state revocation for DNSSEC , 2007, LSAD '07.

[27]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[28]  Derek Atkins,et al.  Threat Analysis of the Domain Name System (DNS) , 2004, RFC.

[29]  Xiapu Luo,et al.  WSEC DNS: Protecting recursive DNS resolvers from poisoning attacks , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[30]  Wenke Lee,et al.  Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries , 2008, CCS.