May 14 – 15, 2017
Europe/Madrid timezone

Zone Poisoning: The How and Where of Non-Secure DNS Dynamic Updates

May 15, 2017, 2:15 PM
Standard Presentation Public Workshop Public Workshop: Security and Privacy


Dr Maciej Korczynski (Deflt University of Technology)


Domain names are a critical resource for legitimate users, but also for criminals. This has led to a variety of attacks on the underlying technology, the Domain Name System (DNS) infrastructure. Registrars have been hacked, attackers have set up malicious domain name resolution services and DNS caches have been poisoned. What most attacks share in common is that they compromise the resolution path somewhere between the user and the authoritative name server for a domain. One attack vector has been overlooked so far, namely using poorly configured name servers to manipulate domain name records at the authoritative end of the path: the zone file for the domain. We call this attack ‘zone poisoning’. The attack is as simple as sending a single RFC compliant DNS dynamic update packet to a misconfigured server. In the simplest version of an attack, a miscreant could replace an existing A or MX resource record in a zone file of an authoritative server and point the domain name to an IP address under control of an attacker. We present the first measurement study of the vulnerability. To assess the potential impact of non-secure dynamic updates, we scanned a random sample of 2.9 million domains worldwide and the Alexa top 1 million domains. We find that among the vulnerable domains are governments, health care providers and banks, demonstrating that the threat impacts important services. We have also issued notifications for DNS service providers, website owners and network operators suffering from non-secure DNS dynamic updates to assess which mechanisms are more reachable and effective at remediating the vulnerability. We have systematically assessed the effectiveness of communication channels and notifications with demonstrative content where recipients of the notifications can identify an existence of the vulnerability from a given external link versus standard vulnerability notifications. We monitored name servers and domain names for several weeks to determine their rate of remediation. Via our study of the zone poisoning attack and subsequent notifications to affected parties, we aim to improve the security of the DNS ecosystem.
Talk Duration 30 Minutes

Primary author

Dr Maciej Korczynski (Deflt University of Technology)


Dr Carlos H. Ganan (TU Delft) Dr Michal Krol (Universite de Technologie de Compiegne) Prof. Michel van Eeten (TU Delft) Mr Orcun Cetin (TU Delft)

Presentation materials