The Forgotten Side of DNS: Orphan and Abandoned Records
Total Page:16
File Type:pdf, Size:1020Kb
The Forgotten Side of DNS: Orphan and Abandoned Records Raffaele Sommese∗, Mattijs Jonker∗, Roland van Rijswijk-Deij∗, Alberto Dainottiy, K.C. Claffyy, Anna Sperotto∗ ∗Design and Analysis of Communication Systems (DACS) yCAIDA University of Twente UC San Diego Enschede, the Netherlands La Jolla, CA, USA fr.sommese, m.jonker, r.m.vanrijswijk, [email protected] falberto, [email protected] Abstract—DNS zone administration is a complex task in- Given the complexity of managing DNS information, volving manual work and several entities and can therefore misconfiguration and errors can occur, with an impact on result in misconfigurations. Orphan records are one of these the overal security and reachability of the DNS. misconfigurations, in which a glue record for a delegation The goal of this paper is to analyze a specific mis- that does not exist anymore is forgotten in the zone file. configuration, defined as the orphan record [2] in a TLD. Orphan records are a security hazard to third-party domains Such orphan records are a leftover of a domain that has that have these records in their delegation, as an attacker expired, and should have been removed, by the registry may easily hijack such domains by registering the domain or by the registrar, together with the expired domain they associated with the orphan. The goal of this paper is to belong to. Orphan records form a security risk as unwit- quantify this misconfiguration, extending previous work by ting third party domains may still point to these orphan Kalafut et al., by identifying a new type of glue record records in their delegation. An attacker can easily hijack misconfiguration – which we refer to as abandoned records – domains referring to orphan records by re-registering the and by performing a broader characterization. Our results domain they belong to. highlight how the situation has changed, not always for the This work reproduces and extends the analysis per- better, compared to a decade-old study. formed by Kalafut et al. [2] in 2010 and is motivated by the main question: A decade after the original analysis, Index Terms—DNS, orphan records, abandoned records, what does the orphan records phenomenon look like? misconfiguration Compared to [2], we characterize the orphan records phenomenon through a significantly larger dataset of ∼2K 1. Introduction TLDs and over a wider time window of 25 months. We also introduce a related type of misconfiguration, which The Domain Name System (DNS) [1] is part of the has not been considered before, that we refer to as aban- core Internet infrastructure and also one of the most doned records, which could be predecessors to new orphan complex parts. The DNS is organised as a hierarchical, records. distributed database with built-in redundancy. The respon- sibility for domains is arranged through a process of 2. Background delegation, in which an entity at a higher level in the hierarchy diverts responsibility for a subset of the name Zone files and glue records. A zone is a portion of space to another party. The hierarchy starts at the root the DNS managed by a single entity. A zone file de- of the DNS, which delegates top-level domains (TLDs) scribes all the Resource Records (RRs) related to a zone, such as .com, .net, .nl, etc. These TLDs in turn del- and its format is defined in two IETF standards [3], egate to second-level domains, which in turn may further [4]. Resource Records map a host name to a specific delegate parts of the name space. Administration of these type, e.g. an A record maps a host name to an IPv4 delegations, especially at the TLD level, can be a complex address. A top-level domain (TLD) is a special type task involving many entities. As a matter of fact, within of zone that typically only has one task: to delegate the context of the DNS, we typically identify three types second-level domains. This delegation uses NS records of stakeholders: registries, registrars and registrants. The that identify the name server for a domain. If the NS registry is the entity responsible for the administration record for a domain points to a record that is inside the of a TLD. The registrar provides an interface between domain (called in-bailiwick), that name is included in the registrant and registry. It manages the administrative parts zone as a glue record to enable the resolution process related to the selling of the domain (e.g. manage payment, to continue. Consider for example: example.com NS renewal, billing and collecting owner information) and ns1.example.com. To resolve example.com, we usually provides customers an interface to interact and need to resolve ns1.example.com, but this implies modify the records related to their domains. Finally, the resolving the example.com delegation. Defining the registrant is the customer that registers a domain. A/AAAA glue record for ns1.example.com in the example.com 86400 IN NS ns.external.org parent zone file breaks this circular dependency and allows ns1.example.com 3600 IN A 1.2.3.4 ns1.expired1.com 3600 IN A 3.2.5.4 the domain to be resolved. Glue records are usually the ns1.expired2.com 3600 IN A 8.4.5.6 active.com 86400 IN NS ns1.expired2.com only A/AAAA records admitted in TLD zone files.A good.com 86400 IN NS ns1.good.com notable exception to this condition represented by the .de ns1.good.com 3600 IN A 1.2.3.5 zone is explained in x 5.3. TABLE 1: Example .com Zone File Algorithm 1 (O) Algorithm 2 (A) EPP - the Extensible Provisioning Protocol. EPP is an XML text protocol defined in RFC5730 [5]. The primary goal of EPP is to permit multiple service providers to analysis on the same zones as in [2], but also extend the manipulate objects in a shared centralized object directory. analysis to other zones available to us. Liang et al. [6] EPP was introduced by Hollenbeck to provide a standard proposed a method for keeping DNS records locked in the Internet domain registration protocol between registrars cache of open DNS resolvers after the domain expires. and registries. The protocol defines and describes the The authors defined these records as ghosts and prove interaction between these two parties via a standard set that by performing queries against open resolvers and by of atomic and idempotent commands. EPP defines three crafting an ad-hoc response in the controlled authoritative main object types: domains, contacts and hosts. EPP also nameserver, it was possible to refresh the TTL value for the defines actions, such as: check, info, create, update, delete, record in the cache of the open resolver even if the domain transfer and renew. Domain objects represent the domain no longer exists in the parent zone. While their work does itself, contacts are the WHOIS contact information, and not specifically focus on junk records, it indirectly refers finally hosts represent the glue records. to generic expired domains in the parent zone. In EPP, creation of host and domain resources are two independent operations. A registrar typically creates 3. Methodology and Dataset glue records in case of the aforementioned in-bailiwick NS record case. The specification [5] does not define who is Methodology. We developed two algorithms to respec- responsibile to clean up glue records if they are no longer tively identify orphan and abandoned records inside zone required (e.g., in case of expired domains). A registrar files. These algorithms rely on the principle that in the could periodically check this. Alternatevely, a registry zone file the only A records available are glue records1. could check on if glue records in its database are actually Algorithm 1 identifies orphan records and it is similar required by an in-bailiwick domain before publishing a to the one described in [2]. The algorithm first collects zone on its name servers. When a domain expires, after all the domains in A records available inside the zone a grace period the registrar return the responsibility of file. Then it trims the domains to the second level domain managing the domain to the registry, which should ensure (SLD). Finally, it looks for SLDs that do not have any that all the related resource records are deleted by the associated NS record. registrar. Algorithm 2 identifies abandoned records. The algo- rithm collects the list of domains in the A records available Orphan and abandoned records. Glue records are sup- in the zone file. Alike Algorithm 1, it trims the domain to posed to be removed after a delegation is removed or the SLD and looks for the SLDs for which the NS records changed. Earlier work indicates, however, that this does do not point to the extracted A records. not always happen in practice [2]. In this paper, we define Table 1 provides an example of records retrieved an orphan record as a former glue record for which the by the two algorithms. Algorithm 1 identifies related domain no longer exists in the zone (the delegation ns1.expired1.com and ns1.expired2.com has been removed). We also define an abandoned record as orphans since no NS records exist for as a former glue record for which the related domain still expired1.com or expired2.com. Algorithm 2 exists in the zone but the delegation no longer requires that marks ns1.example.com as abandoned (a delegation glue record. Under normal operation, abandoned records for example.com exists, but points elsewhere). do not show up in the DNS resolution, as there is no longer a relation with the domain the record served.