HAN Dianfei,YUAN Ruixi,GUAN Xiaohong

DOI: https://doi.org/10.1016/b978-0-12-803306-7.00003-6

2007-01-01

Abstract:The correct configuration of domain name servers is the foundation of good and robust performance of network service.Past operation practice has shown that incorrect configuration has severe impact on network services.In recent years,the.CN domain,an important part of Internet developed very rapidly.However,there are many issues arising in its management.The DNS configuration errors in.CN domain are measured and analyzed.It is found that over 30% zones suffer from misconfiguration errors.This problem may pose serious hinder to efficient and secure operation of Internet in China and should be brought enough attentions.

Chao Li,Yanan Cheng,Zhaoxin Zhang,Ping Yu

DOI: https://doi.org/10.1016/j.cose.2023.103426

2023-08-18

Abstract:Authoritative domain name servers (referred to as authoritative servers) play a critical role in the Domain Name System (DNS) by resolving domain names to specific IP or CNAME records, ensuring seamless internet access. However, misconfigurations in authoritative servers can introduce risks to domain name resolution. This paper proposes a comprehensive approach to analyze and evaluate the configuration risks of authoritative servers. We develop a tool called "AuthDetect" to detect configuration anomalies in authoritative servers, and leveraging this tool, we conduct anomaly detection and analyze resolution risks from three perspectives: resolution latency, content, and reliability. Our evaluation indicates that 90% of the domains have a favorable overall resolution risk (below 0.13), but varying levels of risks exist: (1) 60% face resolution latency risk, (2) only 8.33% of domain names exhibit content risk, and (3) almost all domain names (99.8%) experience resolution reliability risk, primarily due to inadequate server configuration. These findings offer valuable data support for domain name managers, providing insights into the current configuration status of authoritative servers and contributing to maintaining a healthy and stable DNS system operation.

computer science, information systems

Deliang Chang,Shanshan Hao,Zhou Li,Baojun Liu,Xing Li

DOI: https://doi.org/10.1109/access.2021.3112926

IF: 3.9

2021-01-01

IEEE Access

Abstract:DNS (Domain Name System) is one fundamental Internet infrastructure related to most network activities. As a feasible tool to govern the Internet, DNS’s stability and interoperability will be impacted by the countries’ policies or actions along the path. Especially now that many countries have stricter control over the Internet and even sometimes “unplug” it. But there was no study to quantify the countries’ impact systematically. To fill this research gap, we present DNSWeight . This new data-driven approach utilizes a large-scale DNS dataset and BGP (Border Gateway Protocol) routing information to calculate the country-importance score so that a country’s impact on DNS can be gauged. By applying DNSWeight on large-scale DNS and BGP datasets jointly, our study shows the importance among different countries is divided. A handful of countries show dominant significance to the current DNS ecosystem. Some countries with a history of Internet shutdowns are too influential to be ignored if they choose to break themselves from the Internet. We also examine the impact of IPv6 (IP Version 6) and reveal the “loop” phenomenon that occurs in some DNS queries. In conjunction with our findings, some discussion and suggestions are given. In summary, our study shows that DNS reliability needs to be reconsidered at the country’s level.

Shuhan Zhang,Shuai Wang,Dan Li

DOI: https://doi.org/10.1109/infocom52122.2024.10621098

2024-01-01

Abstract:DNS relies on domain delegation for good scalability, where domains delegate their resolution service to authoritative nameservers. However, such delegations lead to complex interdependencies between DNS zones. While a complex dependency might improve the robustness of domain resolution, it could also introduce security risks unexpectedly. In this work, we perform a large-scale measurement on nearly 217M domains to analyze their resolution dependencies at both zone level and infrastructure level. According to our analysis, domains under country-code TLDs and new generic TLDs generally present more complicated dependency relationships. For robustness consideration, popular domains prefer to configure more complex dependencies. However, the centralization of nameserver hosting and the silent outsourcing of DNS providers could lead to severe false redundancy at infrastructure level. Worse, considerable domain configurations in the wild are "not robust but risky": a more complex dependency may also indicate more vulnerabilities, e.g., domains with a 2x higher dependency complexity have a 2.87x larger proportion suffering from the hijacking risk brought by lame delegation.

Baojun Liu,Chaoyi Lu,Zhou Li,Ying Liu,Haixin Duan,Shuang Hao,Zaifeng Zhang

DOI: https://doi.org/10.1109/dsn.2018.00072

2018-01-01

Abstract:Internationalized Domain Names (IDNs) are domain names containing non-ASCII characters. Despite its installation in DNS for more than 15 years, little has been done to understand how this initiative was developed and its security implications. In this work, we aim to fill this gap by studying the IDN ecosystem and cyber-attacks abusing IDN. In particular, we performed by far the most comprehensive measurement study using IDNs discovered from 56 TLD zone files. Through correlating data from auxiliary sources like WHOIS, passive DNS and URL blacklists, we gained many insights. Our discoveries are multi-faceted. On one hand, 1.4 million IDNs were actively registered under over 700 registrars, and regions within east Asia have seen prominent development in IDN registration. On the other hand, most of the registrations were opportunistic: they are currently not associated with meaningful websites and they have severe configuration issues (e.g., shared SSL certificates). What is more concerning is the rising trend of IDN abuse. So far, more than 6K IDNs were determined as malicious by URL blacklists and we also identified 1, 516 and 1, 497 IDNs showing high visual and semantic similarity to reputable brand domains (e.g., apple.com). Meanwhile, brand owners have only registered a few of these domains. Our study suggests the development of IDN needs to be re-examined. New solutions and proposals are needed to address issues like its inadequate usage and new attack surfaces.

Shuying Zhuang,Jessie Hui Wang,Pei Zhang,Jilong Wang

DOI: https://doi.org/10.1016/j.comnet.2020.107102

IF: 5.493

2020-01-01

Computer Networks

Abstract:As the Internet becomes more and more widely used in our daily life, its latency has been regarded as a truly critical issue for various Internet applications. Researchers propose an ambitious goal to pursue “Speed-of-Light Internet. However, there is a large gap between the reality and the goal, and a lot of infrastructure inefficiency caused by simple issues has been observed in some developing or rural regions. In this article, we conduct a measurement study on the latency to visit more than 638 K websites in China from five well-connected vantage points, and examine the unnecessary latency caused by the inefficiency of DNS infrastructure and Internet routing infrastructure in China. We find that DNS resolution is the most significant contributor to the overall latency and investigate several important factors that affect DNS latency, i.e., caching, CNAME and delegation. In terms of Internet routing infrastructure in China, we observe that 1) the inter-domain routing in China relies too heavily on the three oldest IXPs while the newly deployed IXPs are under-used significantly, which results in unnecessary routing circuitousness; and 2) most congested links are the links connecting cities with IXPs and these links should be upgraded or utilized with more efficient traffic engineering systems. Furthermore, in order to compute circuitousness ratios and locate congested links, we also propose a method to geolocate IP addresses in China more accurately and we make the geolocation results for IP addresses under the study of this work publicly accessible to facilitate future research efforts.

Qi Li,Xingqun Qi,Jiaming Liu,Hongfeng Han

DOI: https://doi.org/10.1109/icctec.2017.00303

2017-01-01

Abstract:Hosts need to identify their location on the Internet. One way is to use an IP address. In IPV4 networks, each computer is identified by a unique 4-byte number, which is generally written as a four-point format, such as 199.1.35.90. When data are transmitted via the network, the header of the packet will contain the IP address of the destination host. Another method is to use the host name to identify themselves, such as www.yahoo.com, www.google.com. Compared with the IP address, it is more memorable. However, the host name provides little or no information about the host's location in the network. In addition, since host names are usually composed of alphanumeric characters of varying lengths, routers are better at handling fixed-length, hierarchical IP addresses. Therefore, domain name system (DNS) has been developed for converting host names that are easy to be remembered by humans into digital Internet addresses. But the use of DNS sometimes reduces the efficiency of accessing the network because the network environment varies all the time, which results in the transmission rate of information between the client and the DNS server. If the package losses due to timeout, the respond of the DNS server cannot be received. As a result, this paper designs a model that can decrease the probability of these problems by introducing a local DNS database.

Fenglu Zhang,Baojun Liu,Chaoyi Lu,Yunpeng Xing,Haixin Duan,Ying Liu,Liyuan Chang

DOI: https://doi.org/10.1109/tdsc.2024.3373530

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:DNS root servers are the starting point of most DNS queries. To ensure their security and stability, multiple anycast instances are operated worldwide, and new root instances have been rapidly deployed in recent years. Apart from authorized instances managed by Root Server System, some networks equip unauthorized instances to hijack queries from clients. Despite various root instances handling queries within their residing networks, few studies have focused on the deployment issues of these instances.       In this paper, we provide the first study to reveal the deployment issues of root instances from a nationwide view. With the support of 7,860 vantage points, we utilized a suite of methodologies to identify the deployment of unauthorized instances. 54 vantage points witnessed the evidence of unauthorized instances, and 70.4% of them further observed security issues of unauthorized instances, including DoS, unavailability of DNSSEC validation, and vulnerable DNS software. Additionally, we utilized the side-channel information of censorship mechanisms to measure the catchment area of authorized instances. We found that most authorized instances in the Chinese mainland serve with limited catchment areas due to restricted BGP policies. Through discussions with ISPs and network operators, we make recommendations to improve the deployment status of different root instances.

computer science, information systems, software engineering, hardware & architecture

Fenglu Zhang,Baojun Liu,Eihal Alowaisheq,Jianjun Chen,Chaoyi Lu,Linjian Song,Yong Ma,Ying Liu,Haixin Duan,Min Yang

DOI: https://doi.org/10.1145/3576915.3616647

2023-01-01

Abstract:Authoritative nameservers are delegated to provide the final resource record. Since the security and robustness of DNS are critical to the general operation of the Internet, domain owners are required to deploy multiple candidate nameservers for load balancing. Once the load balancing mechanism is compromised, an adversary can manipulate a large number of legitimate DNS requests to a specified candidate nameserver. As a result, it may bypass the defense mechanisms used to filter malicious traffic that can overload the victim nameserver, or lower the bar for DNS traffic hijacking and cache poisoning attacks. In this study, we report on a class of DNS vulnerabilities and present a novel attack, named Disablance, that targets the domains with different NS records severing to multiple sites of authoritative servers. The attack is made possible by a misconfiguration of nameservers that ignores domains outside their authority, combined with recursive resolvers that use a globally shared status for nameserver selection. By targeting authoritative nameservers configured by a large number of domains, Disablance allows adversaries to stealthily sabotage the DNS load balancing for authoritative nameservers at a low cost. Through simply configuring the DNS records for a domain under their control to point to the targeted nameservers and performing a handful of requests, adversaries can temporarily manipulate a given DNS resolver to overload a specific authoritative server. Therefore, Disablance can redirect benign DNS requests for all hosted domains to the specific nameserver and disrupts the load balancing mechanism. Our extensive study proves the security threat of Disablance is realistic and prevalent. First, we demonstrated that mainstream DNS implementations, including BIND9, PowerDNS, and Microsoft DNS, are vulnerable to Disablance. Second, we developed a measurement framework to measure vulnerable authoritative servers in the wild. 22.24% of top 1M FQDNs and 3.94% of top 1M SLDs were proven can be the victims of Disablance. Our measurement results also show that 37.88% of stable open resolvers and 10 of 14 popular public DNS services can be exploited to conduct Disablance, including Cloudflare and Quad9. Furthermore, the critical security threats of Disablance were observed and acknowledged through in-depth discussion with a world-leading DNS service provider. We have reported discovered vulnerabilities and provided recommendations to the affected vendors. Until now, Tencent Cloud (DNSPod) and Amazon have taken action to fix this issue according to our suggestions.

JI Cheng,LI Xiaodong,YUAN Jian,YUCHI Xuebiao,SHAN Xiuming

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2010.04.033

2010-01-01

Abstract:A full day's queries looking up the IP address associated with the CN domain names were investigated to study the Internet access pattern. The queries were collected from the authoritative CN name servers running by the China Internet Network Information Center. A data compression method was designed,which reduces the volume of data while retaining the valid information about users' visiting website. The feature vector of IPs and domain names' temporal behavior were clustering with the k-means algorithm. The results show that according to the differences between the temporal behaviors,IP addresses are divided into three main clusters,attackers,the main ISP's recursive server,and other recursive servers and that domain names are divided into four main clusters. The further clustering of the domain names queried by large number of users finds the domain names truly reflecting the need of the majority of the users.

Bingyang Guo,Min Zhang,Chengxi Xu,Fan Shi

DOI: https://doi.org/10.1109/ICCCS52626.2021.9449288

2021-01-01

Abstract:As the Internet continues to evolve, the Domain Name System (DNS), which is originally designated as distributed service, starts to aggregate to fewer DNS servers. Thus, it is of great significance to dig out these name servers and carry out specific security protection on them. Researchers try to calculate the importance of an individual name server based on the number of domains resolved by it. ...

Xianran Liao,Jiacen Xu,Qifan Zhang,Zhou Li

DOI: https://doi.org/10.1109/access.2022.3215753

IF: 3.9

2022-01-01

IEEE Access

Abstract:Domain Name System (DNS) is a fundamental component for today’s Internet communications, enabling the domain-to-IP translations for billions of users and numerous applications. Yet, the operational failures of DNS are not rare and sometimes lead to severe consequences like Internet outages. To gain a better understanding of DNS operational failures, previous works examined large-scale DNS logs (DNS queries and responses between Internet users and DNS servers), but the DNS logs cannot offer a comprehensive view of the failures (e.g., errors at domain registrars) and explain the failures at a finer grain. In this paper, we try to assess DNS operational failures from another data source, the supporting forums built by DNS service providers. Specifically, we mined 4 DNS forums and crawled more than 10000 posts and 50000 replies. With a new analysis framework developed by us, we are able to tag the forum posts by different categories (e.g., general concerns, issue locations, and record types), and gain new insights regarding how and why users encounter DNS failures. In the end, we offer suggestions to DNS service providers and users to mitigate DNS operational issues.

computer science, information systems,telecommunications,engineering, electrical & electronic

Hongyu Gao,Vinod Yegneswaran,Jian Jiang,Yan Chen,Phillip Porras,Shalini Ghosh,Haixin Duan

DOI: https://doi.org/10.1109/tnet.2014.2358637

2016-01-01

IEEE/ACM Transactions on Networking

Abstract:The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid top-level domains (TLDs). Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i. e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

Jinjin Liang,Jian Jiang,Haixin Duan,Kang Li,Jianping Wu

DOI: https://doi.org/10.1007/978-3-642-36516-4_15

2013-01-01

Abstract:We surveyed the latency of upper DNS hierarchy from 19593 vantage points around the world to investigate the impact of uneven distribution of top level DNS servers on end-user latency. Our findings included: 1) generally top level DNS servers served Internet users efficiently, with median latency 20.26ms for root, 42.64ms for .com/.net, 39.07ms for .org; 2) quality of service was uneven, Europe and North America were the best while Africa and South America were 3 to 6 times worse; 3) most of the root servers performed well in Europe and North America, but only F, J, L roots showed low query latency in other continents; 4) query latency of F and L roots showed that only about 60 resolvers were routed to the nearest anycast instances. We also revealed two problems that lead to constantly large query latency (6s~18s) for resolvers. One was buggy implementation of some resolvers on IPv4/IPv6 dual-stack hosts, the other was misconfigured middle-boxes that filtered large or fragmented DNSSEC packets.

Jian Jiang,Jia Zhang,Hai-Xin Duan,Kang Li,Wu Liu

DOI: https://doi.org/10.1109/ICC.2018.8422602

2018-01-01

Abstract:The Domain Name System (DNS) is a hierarchical distributed system organized through top-down zone delegation. Consequently resolution of a zone depends on its ancestors. However, since the delegation in DNS is designed by name rather than address, the dependency could further extend to other zones. If not configured well, the dependency of a zone could be large and complicated, potentially harmful to its availability and integrity. In this paper, we propose a graph-based model to comprehensively analyze zone dependency in DNS. Our approach classifies zone dependency into four different relations: general dependency, explicit dependency, critical dependency and essential dependency. We also propose an empirical method to quantitatively measure the zone dependencies of given zones. Our survey with over 1 million DNS zones shows that more than 99% of the zones depend on some 3-rd party zone; about 41% of the zones critically rely on more than 2 zones except their ancestors; some TLDs such as.org,.info and .cn tend to have more dependencies than others.

Jian Jiang,Jinjin Liang,Kang Li,Jun Li,Hai-Xin Duan,Jianping Wu

2012-01-01

Abstract:Attackers often use domain names for various malicious purposes such as phishing, botnet command and control, and malware propagation. An obvious strategy for preventing these activities is deleting the malicious domain from the upper level DNS servers. In this paper, we show that this is insufficient. We demonstrate a vulnerability affecting the large majority of popular DNS implementations which allows a malicious domain name to stay resolvable long after it has been removed from the upper level servers. Our experiments with 19,045 open DNS servers show that even one week after a domain name has been revoked and its TTL expired, more than 70% of the servers will still resolve it. Finally, we discuss several strategies to prevent this attack.

Baojun Liu,Chaoyi Lu,Haixin Duan,Ying Liu,Zhou Li,Shuang Hao,Min Yang

DOI: https://doi.org/10.1145/3340301.3341122

2018-01-01

Abstract:DNS is a critical service for almost all Internet applications. DNS queries from end users are handled by recursive DNS servers for scalability. For convenience, Internet Service Providers (ISPs) assign recursive servers for their clients automatically when the clients choose the default network settings. On the other hand, users should also have the flexibility to use their preferred recursive servers, like public DNS servers. Since almost all DNS queries are sent in plain-text, it's possible for on-path devices to intercept DNS queries sent to public resolvers, by spoofing the IP addresses of user-specified DNS servers and surreptitiously responding using alternative resolvers instead. The trust relationship between users and public DNS are thus broken by the hidden interception of the DNS resolution path (which we term as DNS interception). The hidden DNS interception can pose users to privacy and security threats, and we aim to shed light on this behavior in this study. It's challenging to observe DNS interception because we need vantages points distributed across the globe. We solved this problem by recruiting clients from a proxy network and popular security software with a large number of real-world users. In this paper, we performed a large-scale analysis on on-path DNS interception and investigate its scope and characteristics. In practice, we designed a novel approach to detecting DNS interception and deployed a global measurement platform. Considering different transport protocols and various recursive servers, we have gained multi-faceted insights. In particular, using traffic from 148,478 residential and cellular IP addresses, we find that 259 of the 3,047 ASes (8.5%) that we inspect exhibit DNS interception behavior, including large providers, such as China Mobile. Particularly, 27.9% DNS/UDP queries from China to Google Public DNS are intercepted. Moreover, we find that alternative resolvers used by interceptors may use outdated software (which should be deprecated before 2009) and lack security-related functionality, such as handling DNSSEC requests. Our work highlights the issues around on-path DNS interception and provides new insights into its countermeasures. Our research provides a first large-scale study on DNS end-to-end violation. Our work delivers evidence of DNS interception and serves as strong motivation of deploying encrypted DNS (e.g., DNS-over-TLS and DNS-over-HTTPS). After being published, our findings are reported by several well-known media, such as ACM Technews, The Register, and Hackread. This paper is based on: Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao, and Min Yang. 2018. Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path. In Proceedings of USENIX Security 2018. USENIX Security Symposium, Baltimore, USA, 16 pages. This work was supported in part by the National Natural Science Foundation of China (U1836213, U1636204) and the BNRist Network and Software Security Research Program (Grant No. BNR2019TD01004).

Qingnan Lai,Changling Zhou,Hao Ma,Zhen Wu,Shiyang Chen

DOI: https://doi.org/10.1016/j.neucom.2014.09.099

IF: 6

2015-01-01

Neurocomputing

Abstract:The Domain Name System (DNS) is a critical Internet service, which translates easily memorized domain names to numerical IP addresses for locating computer resources and services. In this paper, we try to explore the behaviors of DNS lookup by mining DNS logs from three primary DNS servers in a large university campus network in China. Our dataset is made up of two parts, namely DNS query logs and messages received or send by DNS servers. Firstly, through analyzing these DNS query logs, we are able to understand the overall trend of users’ surfing. For dealing with huge DNS dataset, we introduce an algorithm we call DNSReduce, which can be used to dig out top 10 client IP addresses and top 10 destination domain names efficiently. Moreover, we make comparative analysis of lookup behavior between wired and wireless users. Secondly, with messages received or send by DNS servers we can find these DNS servers׳behaviors, i.e., TTLs, equivalent answers and are able to accurately identify domain names with dynamic IP addresses. We provide different and specific visualization techniques for presenting these analysis results and show these techniques are very useful for understanding user behaviors, analyzing security events and characterizing overall tendency in campus network management.

Fenglu Zhang,Yunyi Zhang,Baojun Liu,Eihal Alowaisheq,Lingyun Ying,Xiang Li,Zaifeng Zhang,Ying Liu,Haixin Duan,Min Zhang

DOI: https://doi.org/10.1145/3618257.3624839

2023-01-01

Abstract:Leveraging DNS for covert communications is appealing since most networks allow DNS traffic, especially the ones directed toward renowned DNS hosting services. Unfortunately, most DNS hosting services overlook domain ownership verification, enabling miscreants to host undelegated DNS records of a domain they do not own. Consequently, miscreants can conduct covert communication through such undelegated records for whitelisted domains on reputable hosting providers. In this paper, we shed light on the emerging threat posed by undelegated records and demonstrate their exploitation in the wild. To the best of our knowledge, this security risk has not been studied before. We conducted a comprehensive measurement to reveal the prevalence of the risk. In total, we observed 1,580,925 unique undelegated records that are potentially abused. We further observed that a considerable portion of these records are associated with malicious behaviors. By utilizing threat intelligence and malicious traffic collected by malware sandbox, we extracted malicious IP addresses from 25.41% of these records, spanning 1,369 Tranco top 2K domains and 248 DNS hosting providers, including Cloudflare and Amazon. Furthermore, we discovered that the majority of the identified malicious activities are Trojan-related. Moreover, we conducted case studies on two malware families (Dark.IOT and Specter) that exploit undelegated records to obtain C2 servers, in addition to the masquerading SPF records to conceal SMTP-based covert communication. Also, we provided mitigation options for different entities. As a result of our disclosure, several popular hosting providers have taken action to address this issue.

Xiang Li,Baojun Liu,Xuesong Bai,Mingming Zhang,Qifan Zhang,Zhou Li,Haixin Duan,Qi Li

DOI: https://doi.org/10.14722/ndss.2023.23005

2023-01-01

Abstract:In this paper, we propose PHOENIX DOMAIN, a general and novel attack that allows adversaries to maintain the revoked malicious domain continuously resolvable at scale, which enables an old, mitigated attack, Ghost Domain.PHOENIX DOMAIN has two variations and affects all mainstream DNS software and public DNS resolvers overall because it does not violate any DNS specifications and best security practices.The attack is made possible through systematically "reverse engineer" the cache operations of 8 DNS implementations, and new attack surfaces are revealed in the domain name delegation processes.We select 41 well-known public DNS resolvers and prove that all surveyed DNS services are vulnerable to PHOENIX DOMAIN, including Google Public DNS and Cloudflare DNS.Extensive measurement studies are performed with 210k stable and distributed DNS recursive resolvers, and results show that even after one month from domain name revocation and cache expiration, more than 25% of recursive resolvers can still resolve it.The proposed attack provides an opportunity for adversaries to evade the security practices of malicious domain take-down.We have reported discovered vulnerabilities to all affected vendors and suggested 6 types of mitigation approaches to them.Until now, 7 DNS software providers and 15 resolver vendors, including BIND, Unbound, Google, and Cloudflare, have confirmed the vulnerabilities, and some of them are implementing and publishing mitigation patches according to our suggestions.In addition, 9 CVE numbers have been assigned.The study calls for standardization to address the issue of how to revoke domain names securely and maintain cache consistency.