Rethinking the Security Threats of Stale DNS Glue Records

Explore a 13-minute conference presentation from USENIX Security '24 that investigates critical security vulnerabilities in DNS glue records. Dive into groundbreaking research that reveals how 23.18% of glue records across 1,096 TLDs are outdated and potentially exploitable. Learn about the systematic analysis of 9 mainstream DNS implementations, including BIND 9 and Microsoft DNS, which uncovered manipulable behaviors that could enable large-scale domain hijacking and denial-of-service attacks. Discover how over 193,558 exploitable records put more than 6 million domains at risk, and understand why 90% of global open resolvers, including major providers like OpenDNS and AliDNS, use unvalidated and outdated glue records. Gain insights into the researchers' responsible disclosure process and the subsequent mitigation efforts by affected stakeholders, including Microsoft DNS, PowerDNS, OpenDNS, and Alibaba Cloud DNS.