Xiang Li (Tsinghua University), Baojun Liu (Tsinghua University), Xuesong Bai (University of California, Irvine), Mingming Zhang (Tsinghua University), Qifan Zhang (University of California, Irvine), Zhou Li (University of California, Irvine), Haixin Duan (Tsinghua University; QI-ANXIN Technology Research Institute; Zhongguancun Laboratory), Qi Li (Tsinghua University; Zhongguancun Laboratory)

In this paper, we propose textit{Phoenix Domain}, a general and novel attack that allows adversaries to maintain the revoked malicious domain continuously resolvable at scale, which enables an old, mitigated attack, Ghost Domain. textit{Phoenix Domain} has two variations and affects all mainstream DNS software and public DNS resolvers overall because it does not violate any DNS specifications and best security practices. The attack is made possible through systematically ''textit{reverse engineer}'' the cache operations of 8 DNS implementations, and new attack surfaces are revealed in the domain name delegation processes. We select 41 well-known public DNS resolvers and prove that all surveyed DNS services are vulnerable to textit{Phoenix Domain}, including Google Public DNS and Cloudflare DNS. Extensive measurement studies are performed with 210k stable and distributed DNS recursive resolvers, and results show that even after one month from domain name revocation and cache expiration, more than 25% of recursive resolvers can still resolve it. The proposed attack provides an opportunity for adversaries to evade the security practices of malicious domain take-down. We have reported discovered vulnerabilities to all affected vendors and suggested 6 types of mitigation approaches to them. Until now, 7 DNS software providers and 15 resolver vendors, including BIND, Unbound, Google, and Cloudflare, have confirmed the vulnerabilities, and some of them are implementing and publishing mitigation patches according to our suggestions. In addition, 9 CVE numbers have been assigned. The study calls for standardization to address the issue of how to revoke domain names securely and maintain cache consistency.

View More Papers

Semi-Automated Synthesis of Driving Rules

Diego Ortiz, Leilani Gilpin, Alvaro A. Cardenas (University of California, Santa Cruz)

Read More

A Transcontinental Analysis of Account Remediation Protocols of Popular...

Philipp Markert (Ruhr University Bochum), Andrick Adhikari (University of Denver), Sanchari Das (University of Denver)

Read More

Anomaly Detection in the Open World: Normality Shift Detection,...

Dongqi Han (Tsinghua University), Zhiliang Wang (Tsinghua University), Wenqi Chen (Tsinghua University), Kai Wang (Tsinghua University), Rui Yu (Tsinghua University), Su Wang (Tsinghua University), Han Zhang (Tsinghua University), Zhihua Wang (State Grid Shanghai Municipal Electric Power Company), Minghui Jin (State Grid Shanghai Municipal Electric Power Company), Jiahai Yang (Tsinghua University), Xingang Shi (Tsinghua University), Xia…

Read More

Extrapolating Formal Analysis to Uncover Attacks in Bluetooth Passkey...

Mohit Kumar Jangid (The Ohio State University), Yue Zhang (Computer Science & Engineering, Ohio State University), Zhiqiang Lin (The Ohio State University)

Read More