Cross the Zone: Toward a Covert Domain Hijacking via Shared DNS Infrastructure

Aug 16, 2024Β·
Yunyi Zhang
Yunyi Zhang
,
Mingming Zhang
,
Baojun Liu
,
Zhan Liu
,
Jia Zhang
,
Haixin Duan
,
Min Zhang
,
Fan Shi
,
Chengxi Xu
Β· 0 min read
Abstract
Domain Name System (DNS) establishes clear responsibility boundaries among nameservers for managing DNS records via authoritative delegation. However, the rise of thirdparty public services has blurred this boundary. In this paper, we uncover a novel attack surface, named XDAuth, arising from public authoritative nameserver infrastructure’s failure to isolate data across zones adequately. This flaw enables adversaries to inject arbitrary resource records across logical authority boundaries and covertly hijack domain names without authority. Unlike prior research on stale NS records, which concentrated on domain names delegated to expired nameservers or those of hosting service providers, XDAuth targets enterprises that maintain their authoritative domain names. We demonstrate that XDAuth is entirely feasible, and through comprehensive measurements, we identify 12 vulnerable providers (e.g., Amazon Route 53, NSONE, and DigiCert DNS), affecting 125,124 domains of notable enterprises, including the World Bank, and the BBC. Moreover, we responsibly disclose the issue to the affected vendors. Some DNS providers and enterprises (e.g., Amazon Route 53) have recognized the issue and are adopting mitigation measures based on our suggestions.
Type
Publication
In USENIX Security 2024