1. DNS/lame_delegation/orphan
1.1. Orphan and Abandoned
The Forgotten Side of DNS: Orphan and Abandoned Records Raffaele Sommese, Mattijs Jonker, Roland van Rijswijk-Deij, Alberto Dainotti, Kimberly Claffy, Anna Sperotto WTMC2020 5th International Workshop on Traffic Measurements for Cybersecurity
DNS zone administration is a complex task involving manual work and several entities and can therefore result in misconfigurations. Orphan records are one of these misconfigurations, in which a glue record for a delegation that does not exist anymore is forgotten in the zone file.
Orphan records are a security hazard to third-party domains that have these records in their delegation, as an attacker may easily hijack such domains by registering the domain associated with the orphan.
The goal of this paper is to quantify this misconfiguration, extending previous work by Kalafut et al., by identifying a new type of glue record misconfiguration – which we refer to as abandoned records – and by performing a broader characterization.
Our results highlight how the situation has changed, not always for the better, compared to a decade-old study.
We discovered that for the.comand.netTLDs, the number of orphan records has fallen to zero, which means that operators have introduced mechanisms for cleaning their zone files.
- 見逃しがある、ということか。(domain名、あるいはglueが存在すればorphanではないということらしい。)
A. J. Kalafut, M. Gupta, C. A. Cole, L. Chen, and N. E. Myers, “An empirical study of orphan DNS servers in the Internet,” in Proceedings of the 10th ACM SIGCOMM conference on Internetmeasurement. ACM, 2010, pp. 308–314
1.2. Unresolved Isues
https://ian.ucsd.edu/papers/unresolved_issues-imc20.pdf
Unresolved Issues: Prevalence, Persistence, and Perils of Lame Delegations Gautam Akiwate, Mattijs Jonker, Raffaele Sommese, Ian Foster, Geoffrey M Voelker, Stefan Savage, KC Claffy IMC2020 ACM Internet Measurement Conference
The modern Internet relies on the Domain Name System (DNS) to convert between human-readable domain names and IP addresses. However, the correct and efficient implementation of this function is jeopardized when the configuration data binding domains, nameservers and glue records is faulty.
In particular lame delegations, which occur when a nameserver responsible for a domain is unable to provide authoritative information about it, introduce both performance and security risks.
We perform a broad-based measurement study of lame delegations, using both longitudinal zone data and active querying.
We show that lame delegations of various kinds are common (affecting roughly 14% of domains we queried), that they can significantly degrade lookup latency (when they do not lead to outright failure), and that they expose hundreds of thousands of domains to adversarial takeover.
We also explore circumstances that give rise to this surprising prevalence of lame delegations, including unforeseen interactions between the operational procedures of registrars and registries.”