1. DNS/claims
Zombie Awaking より https://dl.acm.org/doi/abs/10.1145/3372297.3417864
4.2 Hijackable Domain Identification
1.1. Unauthorized claim analysis.
This analysis is used to find out whether a domain can be claimed on a DNS hosting provider by an unauthorized party.
Specifically, we first register a domain and then open two accounts with a provider: victim and attacker.
Through the victim account, an A record is configured to point to IP victim and NS records pointing to the provider is set at the SLD zone.
After confirming that the domain is indeed active, we remove the domain from the victim account.
Then, we confirm that the assigned nameservers respond with REFUSED status code when queried about the domain to verify that the domain is no longer active at the provider.
Next, we attempt to claim the domain and set a different A record pointing to IP attacker through the attack’s account with the same nameserver assigned to the victim (so the stale NS record can be used to hijack the domain).
In the case that the provider randomly assigns its nameservers, we continue to try until the same nameserver shows up to serve the claim.
This process can be automated when the DNS hosting provider offers APIs (e.g., Amazon Route 53) for adding a zone and setting the RRs.
DEA 1: resolvable by another nameserver at provider.
DEA 2: registration data at provider.
DEA 3: TLD restriction at provider.
The study of DNS hosting providers where the ad- versary can make unauthorized claims on another party’s domain. ( : PVDs dropped; : no PVDs dropped) • ◦ with prior research [42, 46], our study involves more resolve
DEA 3: TLD restriction at provider.
1.2. Findings
Findings. In our research, we evaluated all 1,304 PVDs that are associated with the selected providers using the four tests and obtained the results presented in Table 1.
Among the 17 providers studied, 14 allow unauthorized domain claims resulting in 628 PVDs.
Oracle Dyn no longer offers DNS hosting service, so all associated PVDs cannot be claimed and thus not included in our experiments.
The two remaining providers are SEO web hosting and CloudFlare.
From our analysis, we found that SEO web hosting refuses claims for a domain removed from their service stating that the domain already exists in their servers. This prevented reclaiming our do- main from the attackers account after we deleted it from victim account. However, it is not clear if this was a result of a security check or a failure to properly clean up the removed domains from their system.
We also found that CloudFlare, in particular, has a strong verification mechanism to prevent unauthorized claims of a domain.
Specifically, to prevent the abuse of stale records, when a client requests to add a domain to its service, it will first check the domain’s current records through DNS queries: if the SLDns of the domain already contains any nameserver pointing to CloudFlare it will assign a different set of nameservers to it, thus requiring the client to update the domain’s current records in order to activate the domain at this service.
In the experiment for DEA 1, we analyzed all PVDs associated with 11 affected providers. PVDs with Zref pointing to Amazon Route 53 were excluded from this test because Amazon Route 53 allows a domain to be active under more than one account with different NS records (Section 2.2). Thus, all its 75 associated PVDscan be exploited.
For the PVDs associated with the 11 providers, 155 of them have at least one nameserver that did not return REFUSED. Therefore, they were considered not exploitable.
When it comes to DEA 2, from the registrar information of the PVDs, 3 providers were found offering domain registration service, GoDaddy, Hetzner Online GmbH and RU Center. Among them, only GoDaddy has protection in place to prevent one from claiming the domain not registered through his account. As a result, 38 PVDs that have a Zref pointing to GoDaddy turned out to be not exploitable, since they are all registered through GoDaddy.
By running DEA 3 on all the providers, we observed that Domain.com stopped supporting the .ir domains, which leads to dropping 104 PVDs from our list.