.

New DNS exploitation technique at InfoSec Institute - Ghost Domains

<<

infoseci

Newbie
Newbie

Posts: 18

Joined: Tue Nov 02, 2010 4:12 pm

Post Thu Feb 16, 2012 10:19 am

New DNS exploitation technique at InfoSec Institute - Ghost Domains

Whenever there is a query for a domain which is not in the resolver’s cache, the process happens by traversing through the entire DNS hierarchy from the root servers to the top-level domain (e.g., .com). The top-level domain (TLD) then gives us the information about the name server that has been delegated the responsibility of the domain whose IP address we are looking for. We then get the information about that domain from its name server. The results are then cached by the DNS resolver with a particular value of TTL (time-to-live), after which the entry in the cache expires.

The exploit targets a weakness in the cache update logic of some of the DNS servers. The exploit allows the cache to be overwritten in such a way that it is possible to continuously extend the TTL for the delegation data of a particular domain and prevents it from ever expiring. The domain will be completely resolvable indefinitely even though it has been deleted from the TLD servers. These types of domains have been termed Ghost Domain Names.

Read the full article and view a sample Ghost Domain here:

http://resources.infosecinstitute.com/ghost-domain-names/
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Thu Feb 16, 2012 5:39 pm

Re: New DNS exploitation technique at InfoSec Institute - Ghost Domains

Here's my feedback originally replied to on the Full Disclosure mailing list: http://seclists.org/fulldisclosure/2012/Feb/237
I'm an InterN0T'er

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software