Researchers Warn Of ‘Ghost Domain’ Flaw in DNS

Researchers are warning about a flaw in the Domain Name System (DNS) that could allow attackers to keep a malicious domain alive and accessible, despite efforts to remove it.

Researchers are warning about a flaw in the Domain Name System (DNS) that could allow attackers to keep a malicious domain alive and accessible, despite efforts to remove it.

A paper jointly authored by researchers in China, the United States and Spain found that a flaw in DNS allows deleted domains to persist in the cache of certain DNS servers – potentially forever.

The paper, “Ghost Domain Names: Revoked Yet Still Resolvable,” (PDF) was published on the Web site of ISC, the Internet Systems Consortium. In it, researchers from Tsinghua University in China, The Universities of Georgia and Oregon in the U.S.A. and Carlos III University in Madrid, Spain, discuss a vulnerability in a common feature of DNS servers known as DNS cache update that prevents the revocation of malicious domains. The flaw allows a knowledgeable attacker to force a DNS server to continue resolving requests for a malicious domain, even if it has otherwise been revoked and deleted from the global DNS, the researchers found.

“It’s definitely a bug.  It’s just a small one,” wrote security researcher and DNS expert Dan Kaminsky, in an e-mail. 

The vulnerability takes advantage of DNS’s structure, which Kaminsky likens to a “chain of trust.” “The root tells you where .com is, .com tells you where foo.com is, and so on.”  Each link in that chain has its own expiration date, or “Time to Live” (TTL).  “The bug is that a parent’s (domain) delegation can expire, but a child’s can remain, and in fact be refreshed through some creative queries,” Kaminsky wrote.

The “ghost domain,” then isn’t part of the DNS “hierarchy”, but is still being resolved by some DNS servers that are part of that hierarchy.

To exploit the vulnerability, attackers would first query a victim’s DNS resolver for a revoked domain to force the victim resolver to query the attacker’s authoritative DNS server before the delegation data expires. With that, the attackers can then piggyback new delegation data in the response from the authoritative server they control to the victim’s system.

Most DNS servers are vulnerable to the Ghost Domain attack, even in their latest iterations, including the common BIND server, the researchers found.

“We demonstrate that over 93% of experimental DNS resolvers are vulnerable and a large scale exploitation is practical,” the researchers wrote.

ISC recommended steps to identify ghost domains in the wild, but Kaminsky said its unlikely that attackers would opt to go through the trouble of creating ghost domains, given other options available to them.

“The attacker, at fairly high cost, can keep a domain on ‘life support’ within one recursive name server,” he wrote. “Annoying, and needs to be fixed, but just not that useful.  In the real world, attackers just go get another domain.”

The Ghost Domain problem is different from the so-called “Kaminsky Bug” – a vulnerability that could be used in cache poisoining attacks. That vulnerability was patched by most major DNS vendors. Also, domains that use the newer, secure DNS standard, DNSSEC, aren’t vulnerable to the Ghost Domain effect, because the trust model in DNSSEC is more explicit and wouldn’t allow a child DNS server to override a parent, Kaminsky said.

The lack of security in the DNS system is often abused by those who want to direct Internet users from legitimate domains to imposter sites, often for the purpose of collecting personal information or generating bogus traffic numbers for advertisers. A recent scam dubbed “Ghost Click” used a network of machines infected with malware known as “DNS Changer” to generate millions in advertising revenue for those behind the scheme.

Suggested articles

Discussion

  • Michael Argast on

    I have to agree with Kaminsky here. While this is an interesting exploit from a 'research' perspective, in reality that bad guys have no problems registering thousands of new domains on a regular basis, and there is value to them in having 'clean' new bad domains rather than historical domains kept alive. 

    Since many of the bad domains, despite resolving, would end up getting blocked by things like secure web gateways and brower security settings, OpenDNS, etc, there is little value to the bad guys in keeping domains around for any length of time.

  • Michael Argast on

    I have to agree with Kaminsky here. While this is an interesting exploit from a 'research' perspective, in reality that bad guys have no problems registering thousands of new domains on a regular basis, and there is value to them in having 'clean' new bad domains rather than historical domains kept alive. 

    Since many of the bad domains, despite resolving, would end up getting blocked by things like secure web gateways and brower security settings, OpenDNS, etc, there is little value to the bad guys in keeping domains around for any length of time.

  • Anonymous on

    I have to agree with Kaminsky here. While this is an interesting exploit from a 'research' perspective, in reality that bad guys have no problems registering thousands of new domains on a regular basis, and there is value to them in having 'clean' new bad domains rather than historical domains kept alive. 

    Since many of the bad domains, despite resolving, would end up getting blocked by things like secure web gateways and brower security settings, OpenDNS, etc, there is little value to the bad guys in keeping domains around for any length of time.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.