« Evacuation Kit for Domain Name Holders | Main | Is office cleaning a proper analog for web security? »

Monday, 26 October 2009

Orphaned Glue Records

When you register a domain name, you are obliged to identify a name server that will host the DNS information for that domain (the zone file). Commonly, organizations operate name resolution service for a given domain on a host that has been assigned a name from a distinct (separate) domain. This is called an out of bailiwick assignment since the name is not assigned within your "jurisdiction", which is the zone file for your domain.

An example is in order. Imagine that Example, Inc. has registered domains example.TLD and example2.TLD, and has identified NS1.example.TLD and NS2.example.TLD as the name servers for example.TLD. In TLD's zone file you would find the name server (NS) and A records (also called glue) for example.TLD, as follows:

example.TLD    NS  ns1.example2.TLD
example.TLD    NS  ns2.example2.TLD
example2.TLD   NS  ns1.example2.TLD
example2.TLD   NS  ns2.example2.TLD
.
.
.
ns1.example2.TLD   A   10.0.1.53
ns2.example2.TLD   A   10.0.2.53

Now, let's suppose example2.TLD is deleted from the TLD registry. This might occur if Example, Inc.  fails to renew the registration for the domain. It might also occur if the domain was suspended because it had been associated with malicious activity (hold this thought). The registry operator (in concert with the sponsoring registrar) should remove the resource records associated with example2.TLD. Removing the glue records however would affect example.TLD since NS1.example2.TLD and NS2.example.TLD host example.TLD's zone. TLD has some options: rename the name server or make it an "orphan" (so labeled because the parent domain name no longer exists).

In the scenario I presented, *all* the resource records are managed by a single registry. The issue of orphans becomes more problematic when an organization registers domains in one registry and hosts name service in another.  Additionally, name servers often host zone files for many domains, so removing glue records might interrupt name service for other domains that also used ns1.example2.TLD or ns2.example2.TLD to host zone files. Policies vary across GTLDs and CCTLDs, further compounding the problem. In cases where the domains involved are not in the same top level domain, the registry operators cannot know unless they are notified by registrar or registrant(s) involved in the name deletion.

Let's go back to that thought I asked you to hold. Imagine that a bad actor registers a bunch of phish domains in TLD *A*, and hosts them at a name server in TLD *B*. Now imagine that the parent domain is removed in the same manner as my example, as a result of a suspension action by a registrar. The orphaned name server is now an obscure corner from which other phishing domains can operate name service.

Preliminary results of study of the prevalence of this form of DNS abuse suggests that there is a correlation between malicious domains (in particular, fast flux attack domain) and orphaned name servers. This is an important problem to solve, and I'd love to hear your opinions on how to solve it.

Posted at 07:45 PM in Domain names and DNS |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)

Find me on Mastodon and Facebook

Spotlight Posts

  • February 1–April 30, 2025 phishing activity available at the Cybercrime Information Center
    Phishing activity reports for the period February 1–April 30, 2025, are now available at the Cybercrime Information Center. Top 20 rankings of Top-level Domain, Domain Registrar and Hosting operator (by ASN) as well as aggregate records of all operators with phishing activity are available. - Modest declines - Small hosting networks leap into top 20 - Meta and cryptocurrency brands most targeted - .TOP, .XIN and Dominet (HK) remain persistent threats https://interisle.substack.com/p/phishing-trends-february-april-2025
  • Cybercrime Reported in April 2025
    In today's Interisle Insights, Colin Strutt looks at cybercrime activity collected at the Cybercrime Information Center for the month of April 2025.We point out anything that strikes us as particularly interesting in overall numbers as well as significant changes in ranking for Top Level Domains (TLDs), Registrars, and Hosting Networks. Read Cybercrime Reported in April 2025. Interisle Insights is a reader-supported publication. To receive new posts and support our work, consider becoming a free or paid subscriber. Join now!
  • Malware Trends: January - March 2025
    Malware activity reports for the quarter are now posted at the Cybercrime Information Center. Our key statistics show small quarter-over-quarter increases in malicious IP address malware records (Traffic Injectors and Attackware) and unique IPv4 addresses reported as serving or distributing malware, and but meaningful decreases in both endpoint and IoT malware reported. Read Malware Trends: January - March 2025
  • The World's Phishiest Neighborhoods
    In this Interisle Insights article, we take a closer look at our data to better understand what’s hosted at three autonomous systems which have appeared at or near the top in recent quarters. We’ll also review who’s being targeted by these attacks and what corresponding name and address resources are most frequently exploited. Autonomous systems are blocks of Internet addresses, which you can compare to "neighborhoods" in a city. And like any city, some neighborhoods are safe and some are not. The full article, The World's Phishiest Neighborhoods, is hosted here.
  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...

Search

My Photo

Categories