Sam Trenholme's webpage
Support this website

On Ghost Domains


February 13 2012

Earlier this month Haixin Duan, et al released the paper "Ghost Domain Names: Revoked Yet Still Resolvable" (PDF document). For people who do not have the time to read the paper, this paper describes how a phisher can keep a malicious domain resolving after said domain is canceled upstream.

As it turns out, Deadwood is immune to this attack because it uses a different method to resolve domains than what most other DNS servers use. While more complicated, Deadwood is immune to some attacks which other DNS servers are vulnerable to.

I describe how Deadwood resolves domains in great depth in the following paper:

Since the above document does not clarify this: Deadwood, like any other modern DNS server, does DNS ID and source port randomization. Indeed, Deadwood was doing this well before Kaminsky's attack came to surface in mid-2008.

To post a comment about an entry, send me an email and I may or may not post your comment (with or without editing)