Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: New DNS exploit - Ghost Domains
From: InterN0T Advisories <advisories () intern0t net>
Date: Tue, 14 Feb 2012 14:04:30 -0500

To question:

I don't get it, where's the vulnerability (or exploit)? DNS is supposed to
work this way, and because some name-servers like OpenDNS use longer TTL
values, it doesn't necessarily mean that it's a vulnerability or an
exploit. It's like saying because an IPv4-address is leased via DHCP for a
week, it's a vulnerability too even if the target host isn't using it.

I'd rather say it's a technique, that you can use to perform phishing,
botnet c&c control, spamming, etc., (as described in the paper mentioned in
the blog), without even having an official primary or secondary nameserver
linked to the domain, as the domain can live on other nameservers that have
cached it. 

The only weakness (not vulnerability or exploit) of long TTL values, is
that domains can exist as "ghosts" (aka ghost domains) for a long time
without even really existing officially.

But you can't attack anyone with this weakness, as it's just a way of
keeping a domain live on the Internet. 

If it's because the paper discusses it can be used to perform phishing,
botnet c&c, etc., well, so can active non-ghost too. The only difference is
that ghost-domains doesn't have an active primary and secondary nameserver,
but are instead cached in nameservers functioning as resolvers, such as
those used by ISP's, OpenDNS, etc.

Send an e-mail to Dan Kaminsky and tell him it's an exploit, I think he
might laugh. No offense intended.


Best regards,

On Tue, 14 Feb 2012 11:09:13 -0600, "Adam Behnke"
<adam () infosecinstitute com> wrote:
To explain:

Whenever there is a query for a domain which is not in the resolver's
the process happens by traversing through the entire DNS hierarchy from
root servers to the top-level domain (e.g., .com). The top-level domain
(TLD) then gives us the information about the name server that has been
delegated the responsibility of the domain whose IP address we are
for. We then get the information about that domain from its name server.
results are then cached by the DNS resolver with a particular value of
(time-to-live), after which the entry in the cache expires.

The exploit targets a weakness in the cache update logic of some of the
servers. The exploit allows the cache to be overwritten in such a way
it is possible to continuously extend the TTL for the delegation data of
particular domain and prevents it from ever expiring. The domain will be
completely resolvable indefinitely even though it has been deleted from
TLD servers. These types of domains have been termed Ghost Domain Names.

In this article we will discuss a recent DNS exploit which is present in
most of the DNS servers that was discovered by researchers Jian Jiang,
Jinjin Liang, Kang Li, Jun Li, Haixin Duan and Jianping Wu. 

Read the full article and view a sample Ghost Domain here:

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]