1. DNS/lame_delegation/orphan

1.1. Orphan and Abandoned

The Forgotten Side of DNS: Orphan and Abandoned Records

Raffaele Sommese, Mattijs Jonker, Roland van Rijswijk-Deij, Alberto Dainotti, Kimberly Claffy, Anna Sperotto

WTMC2020 5th International Workshop on Traffic Measurements for Cybersecurity

https://conferences.computer.org/eurosp/pdfs/EuroSPW2020-7k9FlVRX4z43j4uE2SeXU0/859700a537/859700a537.pdf

DNS zone administration is a complex task involving manual work and several entities and can therefore result in misconfigurations.
Orphan records are one of these misconfigurations, in which a glue record for a delegation that does not exist anymore is forgotten in the zone file.

Orphan records are a security hazard to third-party domains that have these records in their delegation, as an attacker may easily hijack such domains by registering the domain associated with the orphan.

The goal of this paper is to quantify this misconfiguration, extending previous work by Kalafut et al., by identifying a new type of glue record misconfiguration – which we refer to as abandoned records – and by performing a broader characterization.

Our results highlight how the situation has changed, not always for the better, compared to a decade-old study.

 We discovered that for the.comand.netTLDs, the number of orphan records has fallen to zero, which means that operators have introduced mechanisms for cleaning their zone files. 

A. J. Kalafut, M. Gupta, C. A. Cole, L. Chen, and N. E. Myers,
“An empirical study of orphan DNS servers in the Internet,” 
in Proceedings of the 10th ACM SIGCOMM conference on Internetmeasurement.
  ACM, 2010, pp. 308–314


1.2. Unresolved Isues

https://ian.ucsd.edu/papers/unresolved_issues-imc20.pdf

Unresolved Issues: Prevalence, Persistence, and Perils of Lame Delegations

Gautam Akiwate, Mattijs Jonker, Raffaele Sommese, Ian Foster, Geoffrey M Voelker, Stefan Savage, KC Claffy
IMC2020 ACM Internet Measurement Conference

The modern Internet relies on the Domain Name System (DNS) to convert between human-readable domain names and IP addresses. However, the correct and efficient implementation of this function is jeopardized when the configuration data binding domains, nameservers and glue records is faulty.

In particular lame delegations, which occur when a nameserver responsible for a domain is unable to provide authoritative information about it, introduce both performance and security risks.

We perform a broad-based measurement study of lame delegations, using both longitudinal zone data and active querying.

We show that lame delegations of various kinds are common (affecting roughly 14% of domains we queried), that they can significantly degrade lookup latency (when they do not lead to outright failure), and that they expose hundreds of thousands of domains to adversarial takeover.

We also explore circumstances that give rise to this surprising prevalence of lame delegations, including unforeseen interactions between the operational procedures of registrars and registries.”

MoinQ: DNS/lame_delegation/資料/orphan (last edited 2021-01-26 02:08:48 by ToshinoriMaeno)