## page was renamed from DNS/hijacking/zombie ## page was copied from DnsTemplate ##master-page:HelpTemplate <> <> {{{ stale NS レコードは危険である。実態を調査してみた。 }}} https://dl.acm.org/doi/abs/10.1145/3372297.3417864 {{{ only GoDaddy has protection in place to prevent one from claiming the domain not registered through his account. }}} == Zombie Awakening == {{{ CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security Zombie Awakening: Stealthy Hijacking of Active Domains through DNS Hosting Referral Pages 1307–1322 Authors: Eihal Alowaisheq, Siyuan Tang, Zhihao Wang, Fatemah Alharbi, Xiaojing Liao, XiaoFeng Wang Indiana Universityのひとが多い。 ACM Digital Library }}} === ABSTRACT === In recent years, the security implication of stale NS records, which point to a nameserver that no longer resolves the domain, has been unveiled. Prior research studied the stale DNS records that point to expired domains. The popularity of DNS hosting services brings in a new category of stale NS records, which reside in the domain's zone (instead of the TLD zone) for an active domain. To the best of our knowledge, the security risk of this kind of stale NS record has never been studied before. これは調査不足に思える。 In our research, we show that this new type of stale NS record can be practically exploited, causing a stealthier hijack of domains associated with the DNS hosting service. We also performed a large-scale analysis on over 1M high-profile domains, 17 DNS hosting providers and 12 popular public resolver operators to confirm the prevalence of this security risk. Our research further discovers 628 hijackable domains (e.g., 6 government entities and 2 payment services), 14 affected DNS hosting providers (e.g., Amazon Route 53), and 10 vulnerable public resolver operators (e.g., CloudFlare). Furthermore, we conducted an in-depth measurement analysis on them, thus providing a better understanding of this new security risk. Also, we explore the mitigation techniques that can be adopted by different affected parties. == history == {{{ Menaces of stale NS records in the SLD zone. In recent years, researchers have identified the security implications of stale NS records, where the nameserver that the record points to no longer resolves the domain. For instance, prior research [52] looks into dangling NS (Dare-NS) records, where the nameserver domains that NS records point to are expired and the adversary could purchase the domain to hijack this resource. Another example of domain hijacking through stale NS records emerges with the popularity of DNS hosting services (e.g., Amazon Route 53 [6] and GoDaddy DNS hosting [36]). At these services, users host their DNS records in the service provider’s nameservers. Once these records become stale, an adversary can claim the nameserver domain and direct the traffic. Some blog posts discussed the exploitation of this vulnerability [12, 13]. However, the proposed attack works effectively if stale NS records are in the TLD zone. Once a domain is hijacked, it could be easily noticed by the domain owner because such misconfiguration appears in the normal resolution path. }}} TLD下だというのは誤解だと思う。TLD下での指摘ではあるが、delegation chain のすべてで成立するから。 [12] Matthew Bryant. 2016. Floating Domains – Taking Over 20K DigitalOcean Domains via a Lax Domain Import System. https://thehackerblog . com/floating- domains-taking-over-20k-digitalocean-domains-via-a-lax-domain-import- system/. [13] Matthew Bryant. 2016. The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean. https://thehackerblog . com/the-orphaned-internet-taking-over-120k-domains- via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/. {{{ In our research, we found that the popularity of DNS hosting services brings in a new category of stale NS records – stale NS records in the SLD zone: unlike Dare-NS, the nameserver pointed to by the record still exists. Also, those stale NS records are in the SLD zone instead of TLD zone, which makes the misconfiguration difficult to discover. Specifically, the attacker can exploit this vulnerability to hijack a domain through a “hidden” resolution path. For example, stale NS records in the SLD zone exist when importing the domain’s zone information from one DNS hosting provider into a new DNS server, where the nameserver provided by the hosting provider no longer resolves the domain. After that, during the domain resolution, the stale NS record at the SLD zone will not be normally used unless cached, since the nameserver received from the TLD will directly return the A record to find out the domain’s IP address, as long as the NS records in the TLD zone (e.g., .com) are up-to-date (i.e., only pointing to the current nameserver). Our research shows that the stale NS records at the SLD can actually be practically exploited, causing a stealthy hijack of active domains. }}} ---- CategoryDns CategoryWatch CategoryTemplate