Full Disclosure mailing list archives
New DNS exploit - Ghost Domains
From: "Adam Behnke" <adam () infosecinstitute com>
Date: Tue, 14 Feb 2012 11:09:13 -0600
To explain: Whenever there is a query for a domain which is not in the resolver's cache, the process happens by traversing through the entire DNS hierarchy from the root servers to the top-level domain (e.g., .com). The top-level domain (TLD) then gives us the information about the name server that has been delegated the responsibility of the domain whose IP address we are looking for. We then get the information about that domain from its name server. The results are then cached by the DNS resolver with a particular value of TTL (time-to-live), after which the entry in the cache expires. The exploit targets a weakness in the cache update logic of some of the DNS servers. The exploit allows the cache to be overwritten in such a way that it is possible to continuously extend the TTL for the delegation data of a particular domain and prevents it from ever expiring. The domain will be completely resolvable indefinitely even though it has been deleted from the TLD servers. These types of domains have been termed Ghost Domain Names. In this article we will discuss a recent DNS exploit which is present in most of the DNS servers that was discovered by researchers Jian Jiang, Jinjin Liang, Kang Li, Jun Li, Haixin Duan and Jianping Wu. Read the full article and view a sample Ghost Domain here: http://resources.infosecinstitute.com/ghost-domain-names/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New DNS exploit - Ghost Domains Adam Behnke (Feb 14)
- Re: New DNS exploit - Ghost Domains InterN0T Advisories (Feb 14)
- Re: New DNS exploit - Ghost Domains Adam Behnke (Feb 14)
- Re: New DNS exploit - Ghost Domains InterN0T Advisories (Feb 14)