1. Unresolved Issues
The prevalence, persistence, and perils of lame delegations
By Gautam Akiwate on 16 Mar 2021
https://blog.apnic.net/2021/03/16/the-prevalence-persistence-perils-of-lame-nameservers/
Contents
Unresolved Issues: Prevalence, Persistence, and Perils of Lame Delegations https://ian.ucsd.edu/papers/unresolved_issues-imc20.pdf
Gautam AkiwateUC San Diego gakiwate@cs.ucsd.edu
Mattijs JonkerUniversity of Twente m.jonker@utwente.nl
Raffaele SommeseUniversity of Twente r.sommese@utwente.nl
1.1. 1 INTRODUCTION
In this paper, we explore the prevalence and causes of such lamedelegations in the DNS name hierarchy. We explore this issue bothlongitudinally, using nine years of zone snapshot data comprising over 499 million domains in both legacy and new generic TLD(gTLD) namespaces (respectively, e.g.,.comand.xyz) as well as in the current DNS namespace using active measurements coveringover 49 million domains. We find that lame delegations are relatively common, roughly 14% of registered domains actively queried have at least one lame delegation and the clear majority of those have no working authoritative nameservers. We identify reasons why lame delegations persist, including: cross-zone delegations, which current protocols are unable to validate; and non-working IP addresses in glue records, which similarly cannot be validateds tatically using registry zone data. Moreover, we identify an un-foreseen interaction between existing registrar practice and the constraints of registry provisioning systems that has inadvertently reated hundreds of thousands of lame delegations. Our measurements show that lame delegations can have significant impacts even when there are alternative working authoritative nameservers for a domain.
Lame delegations can result in a significant increase in average resolution latency (3.7×), unnecessary load on existing nameservers (roughly 12% of requests to GoDaddy’s nameservers are for domains for which they are not authoritative [24]) and, most importantly, the potential for malicious parties to monitor or hijack DNS lookups. We have identified many tens of thousands of domains vulnerable to such hijacking and, in several instances, we have identified single domains that, if registeredby an attacker, would have allowed the hijacking of thousands of domain names.
Finally, we describe our efforts working with theregistrar and registry communities to understand the source ofthese problems and establish efforts to address them going forwar
1.2. 6 LAME DELEGATIONS MEASURED WITHACTIVE QUERIES
6.5 Impact of Lame Delegation
1.3. 8 SUMMARY
The Internet, as it is commonly taught, is constructed from simple abstractions implemented via a number of key network protocols. Invariably, however, there is significant daylight between this clean abstract model of how the Internet functions and the frequently messy reality of its concrete operation. Measurement studies such as this one are the mechanisms we use to characterize this gap inunderstanding. Our work characterizing the presence and risks of lame delegation in the DNS exemplifies the value of this kind of empirical study. ---- Using comprehensive collections of both active and passive DNS measurements (covering 49 M and 499 M domains respectively), we found that lame delegations are surprisingly common: roughly 14%of registered domains that we actively measured had at least one lame delegation, and most of those had no working authoritative name servers. However, even for domains with working alternative name servers, our measurements show that these lame delegations impair DNS performance (average resolution latency increasingby 3.7×) in addition to producing substantial unnecessary load onexisting nameservers.
Finally, we found that unregistered or expired domains in lame delegations can create significant security risk. Indeed, over the last nine years, we identified at least three instances in which an attacker could have hijacked thousands of domains by registering a single nameserver domain. Analysis of this phenomenon led us to discover an unforeseen interaction between registrar practice and the constraints of registry provisioning systems that has in-advertently made hundreds of thousands of domains vulnerable to hijacking due to accidental lame delegations. This practice has persisted for over twenty years, but we are now working with registrars to remediate it and its effects.
Going forward, we are exploring ways to combine daily zonedata and periodic active measurements to automatically identify and report lame delegations as they are created. An open question remains about the most effective mechanisms for communicating these findings to appropriate stake holders to incent corrective action. As well, the security issues that arise as unintended byproducts of registrar/registry practices deserve further attention as this aspect of the domain name ecosystem is largely opaque to the research community. Many domain operators configure redundancy in resolution infrastructure, which can hide underlying systemic issues for long periods of time. Ironically, this engineered robustness poses a security threat, as domain operators rarely take notice of DNS configurations unless their domain stops resolving completely. Thus they are likely to fail to notice partly lame domains that attackers can exploit. While some systematic issues such as the “DROPTHISHOSTanomaly” require registrar-level intervention to fix, domain owners can proactively monitor their own domain configurations. In pur-suit of improved monitoring and remediation, we are developing a monitoring tool to allow domain owners to check static zone files for potential delegation-related security risks, and will integrate itinto our zone analysis platform. Finally, we have begun an effort to work with the registrar and registry communities to responsibly disclose such risks, establish their underlying causes, and develop improved operational practices to minimize lame delegations goingforward.