Knowledge Base ISC Main Website Ask a Question/Contact ISC
CVE-2012-1033: Ghost Domain Names: Revoked Yet Still Resolvable
Author: Cathy Almond Reference Number: AA-00691 Views: 15698 Created: 2012-05-31 12:06 Last Updated: 2012-06-07 13:08 0 Rating/ Voters

After completing our analysis of the DNS exploit reported by Professor Haixin Duan of Tsinghua University, ISC has determined that the behavior he describes, while verifiable, is due to design issues in the DNS protocol. No immediate steps are planned to address the issue. Further information concerning the implications of the reported vulnerability can be found in the complete problem description below.

Document Version:
Posting date: 
07 Feb 2012
Program Impacted: 
Versions affected: 
All versions of BIND 9



On February 7th, in anticipation of a paper being presented by Professor Haixin Duan, ISC issued a security announcement for CVE-2012-1033. We moved quickly to make an announcement in advance of Professor Duan's paper, scheduled to be presented at the Network and Distributed System Security Symposium the following day, because we wanted to ensure that we were not withholding any information with potential security implications for our users.

Our initial disclosure stated that we were assessing the implications of this vulnerability. After completing our analysis, we wish to share our conclusions:

   - The behavior in question arises from a side-effect of design decisions in the DNS protocol. It is not caused by a bug in BIND or other affected software. BIND and other software affected by this behavior are so affected because of the inherent, longstanding design of the DNS protocol.

   - To the best of our current knowledge, the extent of the exposure for users of BIND or other affected software is this: every resource record in the Domain Name System hierarchy has a time-to-live (TTL) value associated with it, intended to control how long the information in the resource record can be kept in cache by a non-authoritative server. Dr. Duan's paper discloses a method whereby information can be prolonged in the cache beyond the period supposedly allowed by the TTL value, causing affected resolvers to potentially return incorrect answers. It does not allow arbitrary insertion, removal, or alteration of resource record data.

   - ISC does not have current plans to release new versions of BIND with alterations to caching policy in response to this disclosure.
We intend to do further analysis and to work with the IETF, the internet infrastructure community, and our customers to determine
how to address the problem while remaining protocol-compliant. Relevant improvements to the protocol have been previously proposed by Paul Vixie [1] and ISC will continue to work for adoption of those or other protocol-level solutions.

   - While the behavior in question is clearly not intended by design and may be exploitable in highly specific circumstances, unsecured DNS is not designed to be relied on for security. ISC continues to recommend that organizations with security needs who are reliant on the Domain Name System proceed with adoption of DNSSEC; DNSSEC is the best known method of mitigating this issue.

(Original Description:Tsinghua University researchers discovered "a vulnerability affecting the large majority of popular DNS implementations which allows a malicious domain name to stay resolvable long after it has been removed from the upper level servers." The issue, which is in all versions of BIND 9 to our knowledge, "exploits a vulnerability in DNS cache update policy, which prevents effective domain name revocation. Attackers could cause a malicious domain name to be continuously resolvable even after the delegated data has been deleted from the domain registry and after the TTL associated with entry supposedly expires." (quoted sections are from the Tsinghua University research document))

CVSS Score: 5

CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:


If you are aware that you have cached bad records, clearing the cache will remove them but is not an effective or practical preventative approach.

Active exploits: 
No known active exploits, but the paper describing the issue is public and has been presented in public forums. The Ghost Names exploit might assist cyber-criminal activity.


On further review, ISC has determined that this is not an issue which needs an immediate patch. The issue is being reviewed at the protocol level and will be addressed there. Implementing DNSSEC is the safest mitigation measure.

**Delayed Update of 29 May --

The following releases, 9.6-ESV-R6, 9.7.5, 9.8.2, 9.9.0, and subsequent releases have changes to address this issue:

3282. [bug] Restrict the TTL of NS RRset to no more than that
of the old NS RRset when replacing it.
[RT #27792] [RT #27884]**

Acknowledgment: ISC would like to thank the research team who found this exploit: 

Jian Jiang, Network Research Center, Tsinghua University

Haixin Duan, Network Research Center, Tsinghua University

Jianping Wu, Network Research Center, Tsinghua University

Kang Li, Department of Computer Science, University of Georgia

Jun Li, University of Oregon Carlos III University of Madrid, Institute IMDEA Networks

Jinjin Liang, Network Research Center Tsinghua University

Nicholas Weaver, International Computer Science Institute (ICSI) 

The exploit was presented at the NDSS conference: "Ghost Domain Names: Revoked Yet Still Resolvable"


Document Revision History:

1.0 -Notified Phase I, II & III (7 February, 2012)

2.0 -Updated Description, Summary, Workaround, Related Docs (8 February, 2012)

2.1 -Updated Summary description with changes made to code in the last releases (29 May, 2012)


Related Document: 

[1] "Improvements to DNS Resolvers for Resiliency, Robustness, and Responsiveness", 2010, P. Vixie, R. Joffe, and F. Neves

[2] Dr. Duan's paper presented February 8th: The Ghost Names exploit might assist cyber-criminal activity


- Do you have Questions? Questions regarding this advisory should go to

This security advisory is a copy of the official document located on our website:

- ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here:

© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

  • There is no feedback for this article
Quick Jump Menu