Rethinking the Security Threats of Stale DNS Glue Records
Yunyi Zhang, Baojun Liu, Haixin Duan, Min Zhang, Xiang Li, Fan Shi, Chengxi Xu, Eihal Alowaisheq
33rd USENIX Security Symposium · Day 1 · USENIX Security '24
The Domain Name System (DNS) is a foundational component of the internet, responsible for translating human-readable domain names into IP addresses. While seemingly robust, the intricate mechanics of DNS can harbor subtle vulnerabilities. This talk, presented by Chiau from Tsinghua University on behalf of the listed authors, sheds light on a long-overlooked aspect of DNS: **glue records**. These special resource records, almost as old as DNS itself, are critical for resolving a specific type of domain delegation, yet their mismanagement and misuse have gone largely unaddressed.
AI review
This research uncovers a critical, widespread vulnerability in DNS stemming from stale glue records and resolver misuse. The novel "Shadow Caching" attack model demonstrates how this oversight puts millions of domains, including top-tier sites, at risk of takeover or DoS. It's a deep dive into fundamental internet infrastructure, challenging long-held assumptions and demanding urgent action from TLD registries and DNS software vendors.