The ghost domain problem in DNS, and what we're doing about it
4 days ago
- #Cybersecurity
- #DNS
- #Monitoring
- The ghost domain problem occurs when a domain is removed by its registry but continues to appear healthy due to caching in DNS resolvers.
- This issue is triggered by events like failed contact verification (e.g., in .de zones) or suspension for non-compliance (e.g., in .eu or .fr domains).
- The problem stems from cached NS records from the child domain outranking parent zone records, causing resolvers to bypass delegation checks.
- Common DNS resolver defaults (e.g., BIND, Unbound) have long cache TTLs, allowing ghost domains to persist for days.
- Most monitoring services, including the author's, lack specific defenses against this issue in their public documentation.
- The author's solution involves deploying Unbound with a reduced cache TTL (1 hour) and enabling experimental features like harden-referral-path.
- Limitations include not eliminating the problem entirely and potential issues with DNSSEC validation during rollout.
- Recommendations include using DNS monitoring alongside uptime checks to detect registry-level delegation issues.