1. 5 LAME DELEGATIONS INFERRED FROM ZONE FILES
Our first analysis uses the nine years of zone file data to identify unresolvable nameservers that cause lame delegations. We delineate three periods of a nameserver’s lifetime during which lame delegations occur, each period associated with different causes and implications. In this context, we characterize the prevalence of unresolvable nameservers and affected domains overall, how long domains are lame delegated, and how an unusual concentration in the .biz TLD reveals an undocumented registrar operational practice.
We then examine unresolvable nameservers and lame delegations longitudinally over the nine years, identifying trends, prominent events that indicate causes of large-scale lame delega-tions, and their associated risks
5.1 Methodology for static analysis 5.2 Prevalence of lame delegations 5.3 DROPTHISHOST anomaly 5.4 Duration of lame delegations 5.5 Lame delegations over time
5.5.1 Hijacking Risk.
Lame delegations can pose a risk to domain owners since attackers can take advantage of expired nameserver domains or typos to hijack domain resolutions.
Consider the events labeled “Hijacking Risk” in Figures 3—5. In May 2011 (H1in Fig-ure 3) roughly 29,000 domains pointed to three unresolvable name-servers. These lame delegations were a result of three nameservers created by the Conficker Working Group (CWG) to use for sink-holed and preemptively registered domains used by Conficker [23]. However, these nameserver domains expired and someone else acquired them, thus controlling resolution of the domains using those nameservers [5]. Further, in May 2015 (H3in Figure 4) the cwgsh nameserver registrations expired again.
In December 2016 (H4in Figure 5) nearly 100,000 domains suddenly become lame when their nameserver’s domain expired. Specif-ically, the domains using nameserver sns[1,2].oigjaeiug.xyz become unresolvable when the registered domain oigjaeiug.xyz expired. Surprisingly, domains continued to point to these unresolvable nameservers for five more months, until May 2017. Further,the domain oigjaeiug.xyz was available for registration at the end of this period, posing a hijacking risk: an attacker registering that domain name could immediately have become authoritative for domains that pointed to it in this period.
Finally, in December 2018 (H2in Figure 3) the appearance of roughly 20,000 lame delegated domains was due to the use of the unregistered nameserver ns5.dsndun.net, which is a typo on the intended ns5.dnsdun.com. The domain dsndun.net was registered six months later, but the historical zone files reveal that ns5.dsndun.net did not resolve to the same addresses asns5.dnsdun.net. In this case, whoever registered dsndun.net hijacked resolutions for nearly 20,000 domains for six months before the original domain owner removed the typoed nameserverfrom its list of authoritative nameservers.
Quantifying the Hijacking Risk:
To make this risk concrete, we quantified the hijacking opportunity, i.e., the potential to gainsome degree of DNS resolution control over currently lame delegated domains. Our zone file data showed that as of January 2020, there were 70,605 nameservers under 48,185 unique registered domains used by 151,422 lame delegated domains. Of these name-server domains, 42,579 (88%) were available for purchase, placingnearly 75,000 domains at risk. !!!!
For instance, by purchasing just 10 of these domains (each under $10 per domain), anyone could have potentially become the authoritative nameserver for around 4,000 domains. While these domains may not have much intrinsic value, they could be a source of cheap domains. For the cost of registering a nameserver domain, an actor effectively gains use of all domains that name it in their NS record.
Even though a purchaser does not own the delegated domains, they have control over how they are resolved and can even get SSL certificates signed for them. This risk is not hypothetical. We see evidence of actors purchasing nameserver domains to take advantage of lame delegations. Forinstance, the owner of phonesear.ch has been registering name-server domains that are authoritative for many lame delegated domains,7apparently for search engine optimization.
Section 5.6 describes a set of lame delegations that left a county government in the U.S. at risk of hijacking for over a yea
5.5.2 Misconfiguration.
A common cause of lame delegation is mis-configuration. We describe the three examples (M1-M3) annotatedin Figures 3 and 4.In September 2013, new nameservers were added to thenic.telzone without glue records (M1), followed by existing nameserverglue records being dropped (M2). These configuration issues areconsistent with reports of ongoing troubles the registry opera-tor had with their delegations [12]. In May 2017.teltransferredownership [13], after which issues with thenic.telnameserversdisappeared.The nameserversconficker-sinkhole.{com,net}were reg-istered as a fix for letting thecwgshdomains expire, and effortswere made to move some domains over to these new nameserversfrom thecwgshnameservers (which were no longer under the Con-ficker Working Group Control). Unfortunately, in December 2014(M3), these domains expired and for five days were unresolvablewhile the registrar held them for the grace period. Fortunately,based onwhoisinformation, the domains were renewed in thegrace period avoiding a repeat of the hijacking seen with thecwgshdomains (Section 5.5.1) }}}