26–27 Oct 2024
Clarion Congress Hotel Prague
Europe/Prague timezone

Cross the Zone: Toward a Covert Domain Hijacking via Shared DNS Infrastructure

27 Oct 2024, 11:35
10m
Tycho/Kepler Rooms (Clarion Congress Hotel Prague)

Tycho/Kepler Rooms

Clarion Congress Hotel Prague

Freyova 33 Praha 9 ⁠-⁠ Vysočany 190 00 Česká republika
In-person Panel Main Session Session 2

Speaker

Yunyi Zhang (National University of Defense Technology; Tsinghua University)

Description

Domain Name System (DNS) establishes clear responsibility boundaries among nameservers for managing DNS records via authoritative delegation. However, the rise of third-party public services has blurred this boundary. We uncover a novel attack surface, named XDAuth, arising from public authoritative nameserver infrastructure’s failure to isolate data across zones adequately. This flaw enables adversaries to inject arbitrary resource records across logical authority boundaries and covertly hijack domain names without authority. Unlike prior research on stale NS records, which concentrated on domain names delegated to expired nameservers or those of hosting service providers, XDAuth targets enterprises that maintain their authoritative domain names.

Specifically, exploiting XDAuth, an attacker could inject arbitrary resource records covertly for a victim's domain name by exploiting an out-of-delegation nameserver. For instance, a customer deploys their authoritative nameserver (e.g., ns.c1.com) leveraging a provider’s DNS infrastructure. Since the lack of DNS zone isolation in the provider, the attacker can manipulate the resource records of domain names delegated to ns.c1.com through the nameserver (e.g., ns.provider.com) of the provider.

To evaluate the prevalence of XDAuth, we proposed a semi-automated detection framework, named XDAuthChecker, to uncover XDAuth threats in the wild effectively. We used the framework to explore nameserver dependencies and identify shared nameserver groups systematically. For each group, we examined the existence of vulnerable hosting providers that can be exploited to inject forged DNS records into the shared nameservers. Subsequently, we conducted a large-scale measurement study of the DNS-sharing ecosystem and the enterprises that XDAuth affects.

We revealed that shared nameservers are indeed widespread and severe by running XDAuthChecker on 1,090 gTLD zone files. We identified a total of 2,372 shared nameserver groups, consisting of 60,974 nameservers with identical IP addresses and 4,800 nameservers with varied NS domains and IP addresses. Upon analyzing these shared groups, we identified 12 potential vulnerable providers, including Amazon Route 53, NSONE, and Digicert DNS. These providers indirectly affect 1,881 other nameservers, with 981 of them ranking in the Tranco top 1M, highlighting a substantial security threat. After detecting domains delegated to affected nameservers, we found that XDAuth poses security risks to numerous well-known enterprises. As a result, we have discovered 125,124 domains vulnerable to XDAuth attacks, encompassing notable entities like McKesson, and Canon. The affected entities also include domain management or digital certificate companies, indicating their customer domains are susceptible to domain hijacking.

Summary

We uncover a new attack surface in the DNS infrastructure: shared nameservers infrastructure. To our knowledge, this is the first public disclosure of such a vulnerability, and our extensive measurement reveals that shared authoritative nameservers are highly prevalent.

We propose XDAuthChecker, a novel approach to discovering shared nameserver threats. Our results demonstrate that XDAuth can circumvent current best protective measures, enabling covert out-delegation domain hijacking and affecting some well-known enterprises.

Talk duration 10 Minutes (+discussion panel time)

Primary authors

Baojun Liu (Tsinghua Unv.) Dr Mingming Zhang (Zhongguancun Laboratory) Yunyi Zhang (National University of Defense Technology; Tsinghua University)

Presentation materials