[Full-disclosure] New DNS exploit - Ghost Domains
adam at infosecinstitute.com
Tue Feb 14 17:09:13 GMT 2012
Whenever there is a query for a domain which is not in the resolver's cache,
the process happens by traversing through the entire DNS hierarchy from the
root servers to the top-level domain (e.g., .com). The top-level domain
(TLD) then gives us the information about the name server that has been
delegated the responsibility of the domain whose IP address we are looking
for. We then get the information about that domain from its name server. The
results are then cached by the DNS resolver with a particular value of TTL
(time-to-live), after which the entry in the cache expires.
The exploit targets a weakness in the cache update logic of some of the DNS
servers. The exploit allows the cache to be overwritten in such a way that
it is possible to continuously extend the TTL for the delegation data of a
particular domain and prevents it from ever expiring. The domain will be
completely resolvable indefinitely even though it has been deleted from the
TLD servers. These types of domains have been termed Ghost Domain Names.
In this article we will discuss a recent DNS exploit which is present in
most of the DNS servers that was discovered by researchers Jian Jiang,
Jinjin Liang, Kang Li, Jun Li, Haixin Duan and Jianping Wu.
Read the full article and view a sample Ghost Domain here:
Full-Disclosure is hosted and sponsored by Secunia.