SEI Insights

CERT/CC Blog

Vulnerability Insights

CNAME flux

Posted on by in

Hello this is Jonathan Spring. Recently, Leigh Metcalf and I uncovered some interesting results in our continuing work on properties of the Domain Name System (DNS). Our work involves an unconventional use of CNAME (canonical name) records. Besides an IP address, CNAME records are the only other location a domain may have in the DNS. Instead of an IP address, a CNAME record is a redirection or alias service that points to another name.

CNAMEs should behave similarly to IP addresses in the DNS - relatively statically. IP addresses have shown departures from the expected consistency in the past. Several years ago, content distribution networks (CDNs) popularized a DNS usage that is known as IP flux. The IP address of resources is changed quickly in the DNS for geographic nearness, load balancing, and redirection in the case of failure. Malicious actors soon caught on, and implemented their own networks using IP flux.

Leigh and I have found that CNAME flux is also in practice to some degree. By using a source of passive public DNS resolutions we have found domains that change their CNAME destination multiple times a day. We consider a domain to be exhibiting flux if it changes destination 8 or more times in one day. For example, the following records of a domain exhibiting CNAME flux were observed on October 2, 2011.

rname
class type TTL rdata
corn.best.stanford.edu IN
CNAME 10 corn26.stanford.edu
corn.best.stanford.edu IN CNAME 10 corn02.stanford.edu
corn.best.stanford.edu IN CNAME 10 corn15.stanford.edu
corn.best.stanford.edu IN CNAME 10 corn10.stanford.edu
corn.best.stanford.edu IN CNAME 10 corn12.stanford.edu
corn.best.stanford.edu IN CNAME 10 corn19.stanford.edu
corn.best.stanford.edu IN CNAME 10 corn24.stanford.edu
corn.best.stanford.edu IN CNAME 10 corn23.stanford.edu

The CNAME here seems to be balancing the load on a particular service by redirecting users to the more available servers, given the naming scheme and short time to live (TTL) of 10 seconds. However, like CDNs, if benign actors gain benefit from a tactic then malicious actors are likely to be able to use the same tactic to their ends.

So far, the domains using CNAME flux amount to a small percentage of the CNAME records observed. There are around 16M domains in our data source that use CNAME records each day, and only 15-200 of those domains exhibit CNAME flux. We measured the incidence of CNAME flux between October 1 and November 30, 2011. The results are presented in this chart.

cname-flux-chart.png

We can't say whether or not the practice will become more widespread. But CNAME flux is yet another creative use of one of the few ubiquitous Internet protocols, and creative protocol use tends to cause headaches for security folks.

About the Author

Jonathan Spring

Contact Jonathan Spring
Visit the SEI Digital Library for other publications by Jonathan
View other blog posts by Jonathan Spring