Zombies in Alternate Realities: The Afterlife of Domain Names in DNS Integrations

TL;DR

This paper investigates the prevalence and risks of outdated DNS linkages, called zombies, across various ecosystems, analyzing their impact and proposing design improvements to mitigate threats.

Contribution

It defines a threat model for DNS zombies, measures their occurrence in multiple ecosystems, and evaluates how different integration designs influence zombie persistence and security.

Findings

Zombies are present in all studied ecosystems, with varying prevalence.

Long-lasting zombies are common in validate-once integrations.

Expiring linkages and frequent validation reduce zombie occurrence.

Abstract

DNS integrations leverage the discovery, trust, and uniqueness of the global Domain Name System with a linkage to another naming ecosystem, so the DNS name can help identify resources such as a cryptocurrency wallet or software component. While DNS ownership is verified at linkage creation, many ecosystems do not track subsequent DNS changes. The result is zombie linkages, where the DNS ownership has expired or changed, but the mapping to the linked resource persists. We define a threat model for DNS integrations, identifying five classes of attacks that leverage or exploit zombie linkages. We measure zombie occurrence across three DNS integrations -- Web PKI; ENS, a blockchain naming system; and Maven Central, a Java software repository. We show that zombies exist in every ecosystem, but at very different fractions -- zombies make up roughly 3% of TLS certificates for new domains, 24% of ENS on-chain imports, and 15% of Maven Central namespaces. We evaluate how integration design choices affect outcomes, with validate-once integrations (ENS on-chain, Maven Central) accumulating long-lasting zombies, linkages with expiration (Web PKI) limiting damage, while integrations that validate on every use (ENS gasless) are zombie-free by design. We look for specific attacks, finding attacks actively available for exploitation in both Web PKI and Maven Central. Finally, we recommend steps to reduce zombie occurrence.