Don't Get Hijacked: Prevalence, Mitigation, and Impact of Non-Secure DNS Dynamic Updates

TL;DR

This paper investigates the widespread security vulnerabilities caused by non-secure DNS dynamic updates, quantifies their prevalence, and demonstrates effective mitigation through coordinated CSIRT notifications, significantly reducing vulnerable domains.

Contribution

It provides the first large-scale analysis of insecure DNS updates and shows that coordinated CSIRT engagement effectively mitigates this security risk.

Findings

Over 353 million domains analyzed, nearly 382,000 accepting unsolicited updates.

Approximately 54% of vulnerable nameservers remediated after CSIRT notifications.

Sustained low prevalence of insecure DNS updates following intervention.

Abstract

DNS dynamic updates represent an inherently vulnerable mechanism deliberately granting the potential for any host to dynamically modify DNS zone files. Consequently, this feature exposes domains to various security risks such as domain hijacking, compromise of domain control validation, and man-in-the-middle attacks. Originally devised without the implementation of authentication mechanisms, non-secure DNS updates were widely adopted in DNS software, subsequently leaving domains susceptible to a novel form of attack termed zone poisoning. In order to gauge the extent of this issue, our analysis encompassed over 353 million domain names, revealing the presence of 381,965 domains that openly accepted unsolicited DNS updates. We then undertook a comprehensive three-phase campaign involving the notification of Computer Security Incident Response Teams (CSIRTs). Following extensive discussions spanning six months, we observed substantial remediation, with nearly 54\% of nameservers and 98% of vulnerable domains addressing the issue. This outcome serves as evidence that engaging with CSIRTs can prove to be an effective approach for reporting security vulnerabilities. Moreover, our notifications had a lasting impact, as evidenced by the sustained low prevalence of vulnerable domains.