back to article DNS flaw reanimates slain evil sites as ghost domains

Cyber-crooks may be able to keep malicious domains operating for longer - even after they are revoked - by manipulating the web's Domain Name System (DNS). A weakness in the cache update logic of many widely used DNS servers creates the potential to establish so-called ghost domains, according to a recent joint study by a team …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    The Pirate Bay: coming to a ghost domain near you - lulz

    Pandora's box (haven't a clue where, or even if required at all, the apostrophe goes)

    No full stop to generate apoplexy amongst some of the commentards

  2. Bill Neal


    Haixin? Really?

  3. Figgus
    Thumb Up

    Not ALL bad, actually

    "Koziol reckons the ghost domain tactic will make life far easier for cyber-crooks while making it far harder to scrub the traces of malicious domains from the net.

    "If you have a domain that is doing really bad stuff, serving up fake AV malware, phishing, etc, it can be deleted at the TLD level to get it off the internet," Koziol explained. "Malware authors that used the domain basically could do nothing about it, they would just move to a new domain (which could be very disruptive to serving malware or phishing pages, etc)."

    Seems like this would screw up crappy legislation like SOPA and PIPA too, giving site owners time to point people toward alternate DNS servers or to advertise their IP address on their front page.

  4. Tom Chiverton 1

    The fix seems easy; never increase the TTL of a cached record...

  5. fridelain

    I don't see how this affects botnets.

    It doesn't affect botnets if the server is still up with the same IP, as the bots could just be reprogrammed to use a hardcoded IP.

    1. markoer

      Re: I don't see how this affects botnets.

      This is not how botnets generally work.

      Although some may use hardcoded IPs, the majority now keeps kind of regular expression of domain names (like bot*.net) and will more or less randomly try to resolve the names until they find one that works (like,, or, etc.).

      If the malware can resolve the name longer after it has been de-registered, we clearly have a problem.


  6. An0n C0w4rd

    Not entirely true...

    "By only restricting recursive queries to authorised clients with an ACL [Access Control List] (that is, not running an open recursive name server), you'd prevent malicious folks on the internet from refreshing their delegation."

    With all the zombies out there malicious people could keep DNS alive on networks with infected computers nearly indefinitely...

    Yet more reasons not to use nameservers that are shared with other people you don't know or trust

  7. Anonymous Coward
    Anonymous Coward


    I have been dealing with this crap for months and I am sick of the manipulations to Bind 9 etc. it is causing too much spam and garbage to come in. Unfortunately for me I do not control the DNS servers at work and I cannot convince the ones that do to patch BIND 9 either.

  8. Anonymous Coward
    Anonymous Coward

    DJB dnscache vulnerable !!!!!

    Looking at the paper ( I see DJB dnscache is vulnerable. Well, HAHAHAHAHA!!11!! !

    MaraDNS is not vulnerable.

  9. privateprivate

    why delete the record...

    Why not just keep the entries active, and ensure the records point to a honeypot farm.

    This means:

    1. There's no fight to delete them/keep them cached

    2. The honeypots can pick-up additional information as to what they're being used for, and how active they are.

  10. Anonymous Coward
    Anonymous Coward

    For the time being, do not de-register the domain names entirely, just set no IP for the domain in DNS, until their registration runs out.

  11. Anonymous Coward
    Anonymous Coward

    Liking the look of 9:38 and 10:48

    To the untrained eye they look good. Do those in the know think they might help, in which case why the fuss in the article?

    1. Robert Carnegie Silver badge

      Domains may be de-registered for other reasons.

      And you don't want EVERY deleted-domain access attempt notified to the FBI, SOCA, RIAA, etc.

      Some of the malware sites are legitimate sites that have been hacked and compromised. I glance at some of the addresses in recent "Please to upstate your password on bankning web site" e-mails and they look like a legitimate site for a different purpose. Well, initially, they look like the actual address of the bankning web site, you know how it goes. So I presume that somebody innocent has been hacked at that end, not that I care either way.

      1. Tom 13

        Re: Domains may be de-registered for other reasons.

        You don't need to do it for all deleted domains, only ones that are taken over as a result of a court ordered take down for malware - everything else follows as usual. Personally I sort of like the idea of taking over the malware domain for a year or three and redirecting them to a legitimate anti-malware site.

  12. John Robson Silver badge


    Anyone know if unbound is affected?

    1. Anonymous Coward
      Anonymous Coward

      Re: Unbound?

      Unbound 1.4.7: yes, affected. 1.4.11: no.

This topic is closed for new posts.

Other stories you might like