Zombie Awakening: Stealthy Hijacking of Active Domains through DNS Hosting Referral

In recent years, the security implication of stale NS records, which point to a nameserver that no longer resolves the domain, has been unveiled. Prior research studied the stale DNS records that point to expired domains. The popularity of DNS hosting services brings in a new category of stale NS records, which reside in the domain's zone (instead of the TLD zone) for an active domain. To the best of our knowledge, the security risk of this kind of stale NS record has never been studied before. In our research, we show that this new type of stale NS record can be practically exploited, causing a stealthier hijack of domains associated with the DNS hosting service. We also performed a large-scale analysis on over 1M high-profile domains, 17 DNS hosting providers and 12 popular public resolver operators to confirm the prevalence of this security risk. Our research further discovers 628 hijackable domains (e.g., 6 government entities and 2 payment services), 14 affected DNS hosting providers (e.g., Amazon Route 53), and 10 vulnerable public resolver operators (e.g., CloudFlare). Furthermore, we conducted an in-depth measurement analysis on them, thus providing a better understanding of this new security risk. Also, we explore the mitigation techniques that can be adopted by different affected parties.

[1]  Xiapu Luo,et al.  WSEC DNS: Protecting recursive DNS resolvers from poisoning attacks , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[2]  Wouter Joosen,et al.  The Wolf of Name Street: Hijacking Domains Through Their Nameservers , 2017, CCS.

[3]  Haya Shulman,et al.  Detection and Forensics of Domains Hijacking , 2014, 2015 IEEE Global Communications Conference (GLOBECOM).

[4]  Vitaly Shmatikov,et al.  The Hitchhiker's Guide to DNS Cache Poisoning , 2010, SecureComm.

[5]  Christian Rossow,et al.  Going Wild: Large-Scale Classification of Open DNS Resolvers , 2015, Internet Measurement Conference.

[6]  Haya Shulman,et al.  Internet-wide study of DNS cache injections , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[7]  Prasant Mohapatra,et al.  Quality of name resolution in the Domain Name System , 2009, 2009 17th IEEE International Conference on Network Protocols.

[8]  Emin Gün Sirer,et al.  Perils of transitive trust in the domain name system , 2005, IMC '05.

[9]  Christopher Krügel,et al.  Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates , 2018, NDSS.

[10]  Niels Provos,et al.  Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority , 2008, NDSS.

[11]  Bruce M. Maggs,et al.  A Longitudinal, End-to-End View of the DNSSEC Ecosystem , 2017, USENIX Security Symposium.

[12]  Paul V. Mockapetris,et al.  Domain names - concepts and facilities , 1987, RFC.

[13]  Daiping Liu,et al.  All Your DNS Records Point to Us: Understanding the Security Threats of Dangling DNS Records , 2016, CCS.

[14]  Zhou Li,et al.  Don't Let One Rotten Apple Spoil the Whole Barrel: Towards Automated Detection of Shadowed Domains , 2017, CCS.

[15]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[16]  Paul E. Hoffman,et al.  Specification for DNS over Transport Layer Security (TLS) , 2016, RFC.

[17]  Randy Bush,et al.  Clarifications to the DNS Specification , 1997, RFC.

[18]  Petar D. Bojovic,et al.  An approach to evaluation of common DNS misconfigurations , 2017, ArXiv.

[19]  Ying Liu,et al.  Who is answering my queries: understanding and characterizing interception of the DNS resolution path , 2019, USENIX Security Symposium.

[20]  Nael B. Abu-Ghazaleh,et al.  Collaborative Client-Side DNS Cache Poisoning Attack , 2019, IEEE INFOCOM 2019 - IEEE Conference on Computer Communications.

[21]  Duane Wessels,et al.  Authority server selection in DNS caching resolvers , 2012, CCRV.

[22]  Salem Alelyani,et al.  Overview of Cyberattack on Saudi Organizations , 2018 .

[23]  Jia Zhang,et al.  Analysis and Measurement of Zone Dependency in the Domain Name System , 2018, 2018 IEEE International Conference on Communications (ICC).

[24]  Xiapu Luo,et al.  Recursive DNS Architectures and Vulnerability Implications , 2009, NDSS.

[25]  Giovane C. M. Moura,et al.  Increasing DNS Security and Stability through a Control Plane for Top-Level Domain Operators , 2017, IEEE Communications Magazine.

[26]  Lixia Zhang,et al.  Impact of configuration errors on DNS robustness , 2004, IEEE Journal on Selected Areas in Communications.

[27]  Prasant Mohapatra,et al.  Measuring Availability in the Domain Name System , 2010, 2010 Proceedings IEEE INFOCOM.

[28]  Nick Feamster,et al.  Global Measurement of DNS Manipulation , 2017, USENIX Security Symposium.

[29]  Derek Atkins,et al.  Threat Analysis of the Domain Name System (DNS) , 2004, RFC.

[30]  Paul Vixie,et al.  DNS and BIND Security Issues , 1995, USENIX Security Symposium.

[31]  David Blacka,et al.  Clarifications and Implementation Notes for DNS Security (DNSSEC) , 2013, RFC.

[32]  Steven M. Bellovin,et al.  Using the Domain Name System for System Break-ins , 1995, USENIX Security Symposium.

[33]  Giovane C. M. Moura,et al.  When Parents and Children Disagree: Diving into DNS Delegation Inconsistency , 2020, PAM.

[34]  Jun Li,et al.  Ghost Domain Names: Revoked Yet Still Resolvable , 2012, NDSS.

[35]  Amit Klein March,et al.  BIND 9 DNS Cache Poisoning , 2007 .