A revoked domain name can still be resolvable for a long time

1. Ghost Domain Reloaded

https://lixiang521.com/publication/ndss23/ phenix domain

https://twitter.com/idealeer/status/1625191190730772480?s=20&t=K8PyEAccaivtBf7bi7EI0w

https://www.researchgate.net/publication/363270238_Ghost_Domain_Reloaded_Vulnerable_Links_in_Domain_Name_Delegation_and_Revocation

1.1. CVE-2022-30699

/CVE-2022-30699 Unbound

1.2. Knot resolver

/CVE-2022-30250 /CVE-2022-30251 RESERVED

/CVE-2022-30256 MaraDNS

1.3. almost expired

Novel "ghost domain names" attack by updating almost expired delegation information https://nlnetlabs.nl/projects/unbound/security-advisories/

unbound の不良

1.4. subdomain delegations

Novel "ghost domain names" attack by introducing subdomain delegations

Since Unbound is a child-centric resolver, 
the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. 

From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation information.

unbound の不良

https://phoenixdomain.net/ /Introduction

Ghost Domain Reloaded: Vulnerable Links in Domain Name Delegation and Revocation https://lixiang521.com/publication/ndss23/

https://indico.dns-oarc.net/event/44/contributions/953/attachments/916/1702/OARC39_phoenix_li.pdf

Ghost Domain Reloaded: Vulnerable Links in Domain Name Delegation and Revocation Xiang Li, Baojun Liu, Xuesong Bai, Mingming Zhang, Qifan Zhang, Zhou Li, Haixin Duan, and Qi Li (Accepted by [NDSS 2023]) Presenter: Xiang Li, Tsinghua University October 23rd, 2022

ØWhat is phoenix domain
ØProposed in NDSS 2023 by our NISL lab
ØAlso making revoked domain names still resolvable on resolvers
ØTwo new vulnerabilities in protocols or implementations
ØTwo variations (T1 and T2)
ØAffecting all DNS implementations

Abstract

In this paper, we propose Phoenix Domain, a general and novel attack that allows adversaries to maintain the revoked malicious domain continuously resolvable at scale, which enables an old, mitigated attack, Ghost Domain. 
Phoenix Domain has two variations and affects all mainstream DNS software and public DNS resolvers overall because it does not violate any DNS specifications and best security practices. 
The attack is made possible through systematically “reverse engineer” the cache operations of 8 DNS implementations, and new attack surfaces are revealed in the domain name delegation processes. 

We select 41 well-known public DNS resolvers and prove that all surveyed DNS services are vulnerable to Phoenix Domain, including Google Public DNS and Cloudflare DNS. 
Extensive measurement studies are performed with 210k stable and distributed DNS recursive resolvers, and results show that even after one month from domain name revocation and cache expiration, more than 25% of recursive resolvers can still resolve it. 

The proposed attack provides an opportunity for adversaries to evade the security practices of malicious domain take-down. 
We have reported discovered vulnerabilities to all affected vendors and suggested 6 types of mitigation approaches to them. 
Until now, 7 DNS software providers and 15 resolver vendors, including BIND, Unbound, Google, and Cloudflare, have confirmed the vulnerabilities, and some of them are implementing and publishing mitigation patches according to our suggestions. 

In addition, 9 CVE numbers have been assigned. 

The study calls for standardization to address the issue of how to revoke domain names securely and maintain cache consistency.

1.5. unbound

Unbound: CVE-2022-30698 CVE-2022-30699


CategoryDns CategoryWatch CategoryTemplate

MoinQ: DNS/脆弱性/Phoenix_domain (last edited 2023-06-26 18:36:27 by ToshinoriMaeno)