Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Don't Get Hijacked: Prevalence, Mitigation, and Impact of Non-Secure DNS Dynamic Updates

Yevheniya Nosyk, Maciej Korczyński, Carlos H. Gañán, Michał Król, Qasim Lone, Andrzej Duda

TL;DR

The paper investigates non-secure DNS dynamic updates, which allow arbitrary hosts to modify zone data and enable zone poisoning. It defines a five-class attack taxonomy, verifies the attacks in a controlled lab, and scales the analysis to over 353 million domains to quantify vulnerability, finding hundreds of thousands of vulnerable domains and thousands of vulnerable name servers. It then conducts a multi-phase CSIRT notification campaign, achieving substantial remediation (≈98% of vulnerable domains and ≈54% of vulnerable name servers) and evidencing lasting impact in 2022 measurements. The work highlights practical mitigation by engaging CERTs, informs vendors (with CVEs reserved for Knot DNS and Simple DNS Plus), and demonstrates that coordinated, responsible disclosure can significantly reduce DNS-zone-targeted risks.

Abstract

DNS dynamic updates represent an inherently vulnerable mechanism deliberately granting the potential for any host to dynamically modify DNS zone files. Consequently, this feature exposes domains to various security risks such as domain hijacking, compromise of domain control validation, and man-in-the-middle attacks. Originally devised without the implementation of authentication mechanisms, non-secure DNS updates were widely adopted in DNS software, subsequently leaving domains susceptible to a novel form of attack termed zone poisoning. In order to gauge the extent of this issue, our analysis encompassed over 353 million domain names, revealing the presence of 381,965 domains that openly accepted unsolicited DNS updates. We then undertook a comprehensive three-phase campaign involving the notification of Computer Security Incident Response Teams (CSIRTs). Following extensive discussions spanning six months, we observed substantial remediation, with nearly 54\% of nameservers and 98% of vulnerable domains addressing the issue. This outcome serves as evidence that engaging with CSIRTs can prove to be an effective approach for reporting security vulnerabilities. Moreover, our notifications had a lasting impact, as evidenced by the sustained low prevalence of vulnerable domains.

Don't Get Hijacked: Prevalence, Mitigation, and Impact of Non-Secure DNS Dynamic Updates

TL;DR

The paper investigates non-secure DNS dynamic updates, which allow arbitrary hosts to modify zone data and enable zone poisoning. It defines a five-class attack taxonomy, verifies the attacks in a controlled lab, and scales the analysis to over 353 million domains to quantify vulnerability, finding hundreds of thousands of vulnerable domains and thousands of vulnerable name servers. It then conducts a multi-phase CSIRT notification campaign, achieving substantial remediation (≈98% of vulnerable domains and ≈54% of vulnerable name servers) and evidencing lasting impact in 2022 measurements. The work highlights practical mitigation by engaging CERTs, informs vendors (with CVEs reserved for Knot DNS and Simple DNS Plus), and demonstrates that coordinated, responsible disclosure can significantly reduce DNS-zone-targeted risks.

Abstract

DNS dynamic updates represent an inherently vulnerable mechanism deliberately granting the potential for any host to dynamically modify DNS zone files. Consequently, this feature exposes domains to various security risks such as domain hijacking, compromise of domain control validation, and man-in-the-middle attacks. Originally devised without the implementation of authentication mechanisms, non-secure DNS updates were widely adopted in DNS software, subsequently leaving domains susceptible to a novel form of attack termed zone poisoning. In order to gauge the extent of this issue, our analysis encompassed over 353 million domain names, revealing the presence of 381,965 domains that openly accepted unsolicited DNS updates. We then undertook a comprehensive three-phase campaign involving the notification of Computer Security Incident Response Teams (CSIRTs). Following extensive discussions spanning six months, we observed substantial remediation, with nearly 54\% of nameservers and 98% of vulnerable domains addressing the issue. This outcome serves as evidence that engaging with CSIRTs can prove to be an effective approach for reporting security vulnerabilities. Moreover, our notifications had a lasting impact, as evidenced by the sustained low prevalence of vulnerable domains.
Paper Structure (35 sections, 8 figures, 3 tables)

This paper contains 35 sections, 8 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Dynamic Updates in DNS
  4. Security Considerations
  5. Implementation of Dynamic Updates
  6. Adversary Model
  7. Infrastructure Setup
  8. Taxonomy of Attacks
  9. Denial of Service (DoS) Attack
  10. Domain Hijacking Attack
  11. Man-in-the-Middle (MITM) Attack
  12. Domain Shadowing Attack
  13. Compromising Domain Control Validation
  14. Adversary Capabilities: Additional Insights
  15. Propagation Between Primary and Secondary Nameservers
  16. ...and 20 more sections

Figures (8)

  • Figure 1: The distribution of 5,964 vulnerable domains in the Alexa domain popularity list.
  • Figure 2: The number of vulnerable resources (domains and nameservers) per national CSIRT
  • Figure 3: The distribution of vulnerable resources (domains and nameservers) per national CSIRTs with respect to their size (number of IPv4 addresses under their jurisdiction).
  • Figure 4: Remediation rates of the DNS nameservers during Phase 1 under two groups of CSIRTs - Trusted Introducers and Others
  • Figure 5: Server remediation rates of different CSIRT constituency types.
  • ...and 3 more figures