Search Icon
Submissions

Ghost Domain Reloaded: Vulnerable Links in Domain Name Delegation and Revocation

Xiang Li (Tsinghua University), Baojun Liu (Tsinghua University), Xuesong Bai (University of California, Irvine), Mingming Zhang (Tsinghua University), Qifan Zhang (University of California, Irvine), Zhou Li (University of California, Irvine), Haixin Duan (Tsinghua University; QI-ANXIN Technology Research Institute; Zhongguancun Laboratory), Qi Li (Tsinghua University; Zhongguancun Laboratory)

In this paper, we propose textit{Phoenix Domain}, a general and novel attack that allows adversaries to maintain the revoked malicious domain continuously resolvable at scale, which enables an old, mitigated attack, Ghost Domain. textit{Phoenix Domain} has two variations and affects all mainstream DNS software and public DNS resolvers overall because it does not violate any DNS specifications and best security practices. The attack is made possible through systematically ''textit{reverse engineer}'' the cache operations of 8 DNS implementations, and new attack surfaces are revealed in the domain name delegation processes. We select 41 well-known public DNS resolvers and prove that all surveyed DNS services are vulnerable to textit{Phoenix Domain}, including Google Public DNS and Cloudflare DNS. Extensive measurement studies are performed with 210k stable and distributed DNS recursive resolvers, and results show that even after one month from domain name revocation and cache expiration, more than 25% of recursive resolvers can still resolve it. The proposed attack provides an opportunity for adversaries to evade the security practices of malicious domain take-down. We have reported discovered vulnerabilities to all affected vendors and suggested 6 types of mitigation approaches to them. Until now, 7 DNS software providers and 15 resolver vendors, including BIND, Unbound, Google, and Cloudflare, have confirmed the vulnerabilities, and some of them are implementing and publishing mitigation patches according to our suggestions. In addition, 9 CVE numbers have been assigned. The study calls for standardization to address the issue of how to revoke domain names securely and maintain cache consistency.

Paper
Slides
Video

View More Papers

Evaluations of Cyberattacks on Cooperative Control of Connected and...

H M Sabbir Ahmad (Boston University), Ehsan Sabouni (Boston University), Wei Xiao (Massachusetts Institute of Technology), Christos G. Cassandras (Boston University), Wenchao Li (Boston University)

Read More

Evasion Attacks and Defenses on Smart Home Physical Event...

Muslum Ozgur Ozmen (Purdue University), Ruoyu Song (Purdue University), Habiba Farrukh (Purdue University), Z. Berkay Celik (Purdue University)

Read More

Operationalizing Cybersecurity Research Ethics Review: From Principles and Guidelines...

Dennis Reidsma, Jeroen van der Ham, and Andrea Continella (University of Twente)

Read More

The “Beatrix” Resurrections: Robust Backdoor Detection via Gram Matrices

Wanlun Ma (Swinburne University of Technology), Derui Wang (CSIRO’s Data61), Ruoxi Sun (The University of Adelaide & CSIRO's Data61), Minhui Xue (CSIRO's Data61), Sheng Wen (Swinburne University of Technology), Yang Xiang (Digital Research & Innovation Capability Platform, Swinburne University of Technology)

Read More