[Full-disclosure] New DNS exploit - Ghost Domains
adam at infosecinstitute.com
Tue Feb 14 19:52:48 GMT 2012
Good point, well said. Should have called it a technique. Will do so in other postings elsewhere.
From: InterN0T Advisories [mailto:advisories at intern0t.net]
Sent: Tuesday, February 14, 2012 1:05 PM
To: Adam Behnke
Cc: full-disclosure at lists.grok.org.uk
Subject: Re: [Full-disclosure] New DNS exploit - Ghost Domains
I don't get it, where's the vulnerability (or exploit)? DNS is supposed to
work this way, and because some name-servers like OpenDNS use longer TTL
values, it doesn't necessarily mean that it's a vulnerability or an
exploit. It's like saying because an IPv4-address is leased via DHCP for a
week, it's a vulnerability too even if the target host isn't using it.
I'd rather say it's a technique, that you can use to perform phishing,
botnet c&c control, spamming, etc., (as described in the paper mentioned in
the blog), without even having an official primary or secondary nameserver
linked to the domain, as the domain can live on other nameservers that have
The only weakness (not vulnerability or exploit) of long TTL values, is
that domains can exist as "ghosts" (aka ghost domains) for a long time
without even really existing officially.
But you can't attack anyone with this weakness, as it's just a way of
keeping a domain live on the Internet.
If it's because the paper discusses it can be used to perform phishing,
botnet c&c, etc., well, so can active non-ghost too. The only difference is
that ghost-domains doesn't have an active primary and secondary nameserver,
but are instead cached in nameservers functioning as resolvers, such as
those used by ISP's, OpenDNS, etc.
Send an e-mail to Dan Kaminsky and tell him it's an exploit, I think he
might laugh. No offense intended.
On Tue, 14 Feb 2012 11:09:13 -0600, "Adam Behnke"
<adam at infosecinstitute.com> wrote:
> To explain:
> Whenever there is a query for a domain which is not in the resolver's
> the process happens by traversing through the entire DNS hierarchy from
> root servers to the top-level domain (e.g., .com). The top-level domain
> (TLD) then gives us the information about the name server that has been
> delegated the responsibility of the domain whose IP address we are
> for. We then get the information about that domain from its name server.
> results are then cached by the DNS resolver with a particular value of
> (time-to-live), after which the entry in the cache expires.
> The exploit targets a weakness in the cache update logic of some of the
> servers. The exploit allows the cache to be overwritten in such a way
> it is possible to continuously extend the TTL for the delegation data of
> particular domain and prevents it from ever expiring. The domain will be
> completely resolvable indefinitely even though it has been deleted from
> TLD servers. These types of domains have been termed Ghost Domain Names.
> In this article we will discuss a recent DNS exploit which is present in
> most of the DNS servers that was discovered by researchers Jian Jiang,
> Jinjin Liang, Kang Li, Jun Li, Haixin Duan and Jianping Wu.
> Read the full article and view a sample Ghost Domain here:
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.