[dns-operations] [Phoenix Domain Attack] Ghost Domain Reloaded: Vulnerable Links in Domain Name Delegation and Revocation (NDSS '23)

[Xiang Li]

Hi there,

Our paper, "Ghost Domain Reloaded: Vulnerable Links in Domain Name
Delegation and Revocation", will soon be presented at NDSS '23. A
pre-release version is now available at here
<https://www.researchgate.net/publication/363270238_Ghost_Domain_Reloaded_Vulnerable_Links_in_Domain_Name_Delegation_and_Revocation>.
Feel free to review it beforehand.

All DNS software and public DNS service vendors have been informed of the
vulnerabilities detailed in our study. Some of them have implemented
mitigation strategies described in our paper. Besides, we also present this
attack in both OARC 39
<https://indico.dns-oarc.net/event/44/contributions/953/> and ICANN DNS
Symposium 2022 <https://www.icann.org/ids> (all slides are available).

Hope for more discussion with you guys. The abstract is listed below:

In this paper, we propose Phoenix Domain, a general and novel attack that
allows adversaries to maintain the revoked malicious domain continuously
resolvable at scale, which enables an old, mitigated attack, Ghost Domain.
Phoenix Domain has two variations and affects all mainstream DNS software
and public DNS resolvers overall because it does not violate any DNS
specifications and best security practices. The attack is made possible
through systematically “reverse engineer” the cache operations of 8 DNS
implementations, and new attack surfaces are revealed in the domain name
delegation processes. We select 41 well-known public DNS resolvers and
prove that all surveyed DNS services are vulnerable to Phoenix Domain,
including Google Public DNS and Cloudflare DNS. Extensive measurement
studies are performed with 210k stable and distributed DNS recursive
resolvers, and results show that even after one month from domain name
revocation and cache expiration, more than 25% of recursive resolvers can
still resolve it. The proposed attack provides an opportunity for
adversaries to evade the security practices of malicious domain take-down.
We have reported discovered vulnerabilities to all affected vendors and
suggested 6 types of mitigation approaches to them. Until now, 7 DNS
software providers and 15 resolver vendors, including BIND, Unbound,
Google, and Cloudflare, have confirmed the vulnerabilities, and some of
them are implementing and publishing mitigation patches according to our
suggestions. In addition, 9 CVE numbers have been assigned. The study calls
for standardization to address the issue of how to revoke domain names
securely and maintain cache consistency.


All the best,
Xiang Li
Ph.D. Candidate
NISL Lab Tsinghua University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230213/cdeddfc8/attachment.html>