« Evacuation Kit for Domain Name Holders | Main | Is office cleaning a proper analog for web security? »

Monday, 26 October 2009

Orphaned Glue Records

When you register a domain name, you are obliged to identify a name server that will host the DNS information for that domain (the zone file). Commonly, organizations operate name resolution service for a given domain on a host that has been assigned a name from a distinct (separate) domain. This is called an out of bailiwick assignment since the name is not assigned within your "jurisdiction", which is the zone file for your domain.

An example is in order. Imagine that Example, Inc. has registered domains example.TLD and example2.TLD, and has identified NS1.example.TLD and NS2.example.TLD as the name servers for example.TLD. In TLD's zone file you would find the name server (NS) and A records (also called glue) for example.TLD, as follows:

example.TLD    NS  ns1.example2.TLD
example.TLD    NS  ns2.example2.TLD
example2.TLD   NS  ns1.example2.TLD
example2.TLD   NS  ns2.example2.TLD
.
.
.
ns1.example2.TLD   A   10.0.1.53
ns2.example2.TLD   A   10.0.2.53

Now, let's suppose example2.TLD is deleted from the TLD registry. This might occur if Example, Inc.  fails to renew the registration for the domain. It might also occur if the domain was suspended because it had been associated with malicious activity (hold this thought). The registry operator (in concert with the sponsoring registrar) should remove the resource records associated with example2.TLD. Removing the glue records however would affect example.TLD since NS1.example2.TLD and NS2.example.TLD host example.TLD's zone. TLD has some options: rename the name server or make it an "orphan" (so labeled because the parent domain name no longer exists).

In the scenario I presented, *all* the resource records are managed by a single registry. The issue of orphans becomes more problematic when an organization registers domains in one registry and hosts name service in another.  Additionally, name servers often host zone files for many domains, so removing glue records might interrupt name service for other domains that also used ns1.example2.TLD or ns2.example2.TLD to host zone files. Policies vary across GTLDs and CCTLDs, further compounding the problem. In cases where the domains involved are not in the same top level domain, the registry operators cannot know unless they are notified by registrar or registrant(s) involved in the name deletion.

Let's go back to that thought I asked you to hold. Imagine that a bad actor registers a bunch of phish domains in TLD *A*, and hosts them at a name server in TLD *B*. Now imagine that the parent domain is removed in the same manner as my example, as a result of a suspension action by a registrar. The orphaned name server is now an obscure corner from which other phishing domains can operate name service.

Preliminary results of study of the prevalence of this form of DNS abuse suggests that there is a correlation between malicious domains (in particular, fast flux attack domain) and orphaned name servers. This is an important problem to solve, and I'd love to hear your opinions on how to solve it.

Posted at 07:45 PM in Domain names and DNS |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Search

My Photo
The Skeptic's email address

Categories

Spotlight Posts

  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...
  • Economic impact payments (EIP) Phishing: US citizens under attack from US bases of phishing operations
    Dave Piscitello and Dr. Colin Strutt As part of the US Covid-19 virus tax relief effort (American Rescue Plan Act of 2021, H.R.1319), the US Internal Revenue Service (IRS) issued a series of Economic Impact Payments to millions of eligible citizens. The third payment was authorized in March 2021. Criminals took note of this well-publicized program and put a phishing campaign together to profit by stealing and subsequently exploiting personal information of US citizens. Like many phishing campaigns, EIP phishing emails and text messages mimic correspondence to convince US citizens to submit personal information or an advance fee payment at...
  • Study reports a 70% increase in phishing from May 2020 through April 2021
    My Interisle colleagues, together with Greg Aaron of Illumintel, have published a study of the scope and distribution of phishing. From 1 May 2020 through 30 April 2021, we collected nearly 1.5 million phishing reports. Our analyses found ~700,000 phishing attacks among the reports collected. Highlights from the study: Phishing increased by nearly 70% over the yearly period. Most phishing is concentrated at small numbers of domain registrars, domain registries, and hosting providers. The top 10 brands targeted accounted for 46% of the phishing attacks associated with specific brands. Phishing attacks are disproportionately concentrated in new Top-level Domains (TLD). We...
  • In new study Interisle Reveals Excessive Withholding of Internet WHOIS Data
    My Interisle colleagues, together with Greg Aaron, have completed an in-depth analysis of the effects of ICANN policy for WHOIS, a public lookup service that has until recently made it possible to identify who registered and controls a domain name. The European Union’s General Data Protection Regulation (GDPR), adopted in May 2018, restricted the publication of personally identifiable data in WHOIS. In response, the Internet Corporation for Assigned Names and Numbers (ICANN) established a new policy, allowing registrars and registry operators to redact (withhold) personally identifiable data from publication in WHOIS. The implementation of this policy has been widely criticized,...
  • New study: Phishing Landscape 2020
    My colleagues Greg Aaron, Dr. Colin Strutt, Lyman Chapin and I have published a new research report, Phishing Landscape 2020: A Study of the Scope and Distribution of Phishing. The report can be found at http://www.interisle.net/PhishingLandscape2020.html Our goal in this study was to capture and analyze a large set of information about phishing attacks, to better understand how much phishing is taking place and where it is taking place, and to see if the data suggests better ways to fight phishing. We studied where phishers are getting the resources they need to perpetrate their crimes — where they obtain domain...