Yunyi Zhang, National University of Defense Technology; Tsinghua University; Mingming Zhang, Zhongguancun Laboratory; Baojun Liu, Tsinghua University; Zhongguancun Laboratory; Zhan Liu and Jia Zhang, Tsinghua University; Haixin Duan, Tsinghua University; Zhongguancun Laboratory; Min Zhang, Fan Shi, and Chengxi Xu, National University of Defense Technology
Domain Name System (DNS) establishes clear responsibility boundaries among nameservers for managing DNS records via authoritative delegation. However, the rise of thirdparty public services has blurred this boundary. In this paper, we uncover a novel attack surface, named XDAuth, arising from public authoritative nameserver infrastructure's failure to isolate data across zones adequately. This flaw enables adversaries to inject arbitrary resource records across logical authority boundaries and covertly hijack domain names without authority. Unlike prior research on stale NS records, which concentrated on domain names delegated to expired nameservers or those of hosting service providers, XDAuth targets enterprises that maintain their authoritative domain names. We demonstrate that XDAuth is entirely feasible, and through comprehensive measurements, we identify 12 vulnerable providers (e.g., Amazon Route 53, NSONE, and DigiCert DNS), affecting 125,124 domains of notable enterprises, including the World Bank, and the BBC. Moreover, we responsibly disclose the issue to the affected vendors. Some DNS providers and enterprises (e.g., Amazon Route 53) have recognized the issue and are adopting mitigation measures based on our suggestions.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Yunyi Zhang and Mingming Zhang and Baojun Liu and Zhan Liu and Jia Zhang and Haixin Duan and Min Zhang and Fan Shi and Chengxi Xu},
title = {Cross the Zone: Toward a Covert Domain Hijacking via Shared {DNS} Infrastructure},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {5751--5768},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/zhang-yunyi-zone},
publisher = {USENIX Association},
month = aug
}