Zombie Awakening: Stealthy Hijacking of Active Domains through DNS Hosting Referral

Abstract

In recent years, the security implication of stale NS records, which point to a nameserver that no longer resolves the domain, has been unveiled. Prior research studied the stale DNS records that point to expired domains. The popularity of DNS hosting services brings in a new category of stale NS records, which reside in the domain's zone (instead of the TLD zone) for an active domain. To the best of our knowledge, the security risk of this kind of stale NS record has never been studied before. In our research, we show that this new type of stale NS record can be practically exploited, causing a stealthier hijack of domains associated with the DNS hosting service. We also performed a large-scale analysis on over 1M high-profile domains, 17 DNS hosting providers and 12 popular public resolver operators to confirm the prevalence of this security risk. Our research further discovers 628 hijackable domains (e.g., 6 government entities and 2 payment services), 14 affected DNS hosting providers (e.g., Amazon Route 53), and 10 vulnerable public resolver operators (e.g., CloudFlare). Furthermore, we conducted an in-depth measurement analysis on them, thus providing a better understanding of this new security risk. Also, we explore the mitigation techniques that can be adopted by different affected parties.