Document Type
Article
Department/Program
Physics
Journal Title
Ccs'16: Proceedings of the 2016 ACM Sigsac Conference on Computer and Communications Security
Pub Date
2016
First Page
1414
Abstract
In a dangling DNS record (Dare), the resources pointed to by the DNS record are invalid, but the record itself has not yet been purged from DNS. In this paper, we shed light on a largely overlooked threat in DNS posed by dangling DNS records. Our work reveals that Dare can be easily manipulated by adversaries for domain hijacking. In particular, we identify three attack vectors that an adversary can harness to exploit Dares. In a large-scale measurement study, we uncover 467 exploitable Dares in 277 Alexa top 10,000 domains and 52 edu zones, showing that Dare is a real, prevalent threat. By exploiting these Dares, an adversary can take full control of the (sub) domains and can even have them signed with a Certificate Authority (CA). It is evident that the underlying cause of exploitable Dares is the lack of authenticity checking for the resources to which that DNS record points. We then propose three defense mechanisms to effectively mitigate Dares with little human effort.
Recommended Citation
Liu, Daiping; Hao, Shuai; Wang, Haining; and Hao, Shuai, All Your DNS Records Point to Us Understanding the Security Threats of Dangling DNS Records (2016). Ccs'16: Proceedings of the 2016 ACM Sigsac Conference on Computer and Communications Security.
10.1145/2976749.2978387
DOI
10.1145/2976749.2978387