Domain Name vulnerabilities: security threats with DNS server logic as a breakthrough (1)

DNS is a naming system that converts a human-readable domain name into a computer that can recognize IP addresses. When a domain name query request that does not exist in the parser cache appears, the conversion process is from the root server to the top-level domain name, for example. com domain name) in the entire DNS hierarchy. Next, the top-level domain name (TLD) will find the authorized Domain Name Server that can provide us with the required IP address, and submit the relevant information back. After we obtain the corresponding domain name information from the Domain Name Server, the result will take a specific TTL value, that is, the valid time value, into the DNS resolution program cache, and will be cleared at the end of the validity period.

In some cases, a domain is identified as a malicious object and is cleared. There are many reasons for this situation, such as spread of malware and phishing. In general, a common way to prevent users from initiating access to a domain is to delete the domain from the TLD server. However, this is not enough to completely eliminate security risks, because the domain can still be resolved by the parser again and remains available until the next TTL expires. Generally, this is not a big problem, because the TTL value takes effect for a very short time, so the attack domain may only exist for several seconds or several minutes.

In this article, we will discuss the recent DNS vulnerabilities in most DNS servers. This vulnerability was discovered by Jiang Jian, Liang jinjin, Li Kang, Li Jun, Duan Haixin, Wu Jianping, and other researchers. Click here to view their research papers.

The breakthrough lies in the logical gap in cache update on some DNS servers. This vulnerability allows the cache to be rewritten in a specific way, so that a specific domain will have a steady stream of TTL authorization data in the cache, And the TTL value is not limited by the effective time. In this way, even if the domain is located from the TLD server, it will remain in the resolvable state. This type of Domain now has its own Name: Ghost Domain Name is Ghost Domain Name ).

Basic DNS knowledge

First, let's first understand how DNS resolution works.

For example, you can open a browser and enter infosecinstitute.com in the address bar. In this case, the DNS resolution program in the user's operating system will run and try to find the corresponding IP address for the domain name. The parser first checks the local cache to check whether the query domain name contains records in the cache. The cache usually stores the ing between IP addresses used by users and host names in the recent period, so that the parser does not have to repeatedly obtain IP addresses for the same domain name multiple times. If the resolution program cannot find the corresponding IP address in the cache, then it will send a request to the DNS server to check whether there is a record for this domain name. DNS servers are usually provided by our network service provider (ISP). Of course, you can also manually choose for yourself. If no record is found at this time, the resolution program will send a circular DNS query to different domain name servers, in order to find the domain name to be queried. When an IP address is retrieved, the parser sends the address back to the client and saves it in the cache for future use.