CVE-2022-30256 - Long-Lived Ghost DNS — How MaraDNS Deadwood Leaks Revoked & Malicious Domains

In 2022, a critical issue was discovered in the MaraDNS Deadwood DNS resolver up to version 3.5.0021. This vulnerability, cataloged as CVE-2022-30256, allows DNS clients to resolve certain domain names long after they have been revoked, expired, or flagged as malicious. This loophole — sometimes called the "Ghost Domain" problem — enables attackers to keep unwanted or dangerous domains resolvable through operational DNS infrastructure even after efforts to take them down.

This post covers what CVE-2022-30256 is in plain language, demonstrates how it’s exploited, and why it’s so hard to fix. We also include a code snippet to highlight where the issue arises, along with key links to patch notes and technical advisories.

What is MaraDNS Deadwood?

MaraDNS is a free, open-source DNS server and recursive resolver. Deadwood is MaraDNS’s lightweight recursive resolver component, known for simplicity and security. Many smaller organizations and embedded systems use Deadwood for providing DNS lookup services.

What is CVE-2022-30256? (Layman-Friendly)

The issue in a nutshell:
If a domain name is removed from the global DNS (example: flagged for malware, or simply expired and not renewed), that name is supposed to become non-resolvable over time. However, Deadwood, through version 3.5.0021, sometimes continues to serve up the old DNS information (A records, CNAMEs, etc.) for far longer than allowed — even after the domain is formally revoked.

Why does it happen?
Deadwood hangs onto cache entries and keeps returning them, even after the “Time-To-Live” (TTL) should have expired and after upstream sources have dropped the domain.

Who does this affect?
Anyone running Deadwood as a DNS resolver for their network — from home routers to business servers.

Setup or Compromise a Domain:

They acquire a domain or take over a domain that's about to expire or face takedown for malicious activity.

Get Deadwood to Cache the Domain:

Either through natural queries (web users visiting) or by spamming requests (e.g., botnets), they ensure many Deadwood servers cache the malicious record.

Pull the Plug:

The domain expires, goes through a takedown process, or is revoked by registrars or TLD operators. According to DNS rules, it should now be “dead”.

Ghost Record Persists:

Deadwood servers continue to answer queries about the revoked domain with cached (now stale) data. This goes on far longer than intended — weeks, months, or more.

Reactivation:

A malicious actor, having retained control of the records, can "resurrect" a harmful website, malware, or phishing operation with virtually no mitigation, since people can still resolve the address using Deadwood-powered infrastructure.

Why Is It Hard to Patch?

The behavior technically conforms to broad DNS caching specifications. DNS servers aren’t required to “forget” about domains when the domain is pulled from delegation or blacklisted; they only monitor the TTLs of cached data. Attackers abuse this tolerance window. Even after some Ghost Domain fixes in other software, Deadwood maintained long-lived caches due to its simplistic design.

Let’s look at a simplified Deadwood snippet to demonstrate the caching logic

// Simplified cache-handling in Deadwood

struct dns_cache_entry {
    char *domain;
    time_t expiration_time; // Calculated from TTL field
    char *data;
};

// Example check before answering query

if (current_time < entry->expiration_time) {
    // Still valid by TTL
    send_dns_response(entry->data);
} else {
    // Should refetch from authoritative source
    // But if domain is gone, Deadwood doesn’t clear it here
    // Bug: old entry remains in cache!
}

The bug:
Deadwood only checks the TTL expiry but doesn’t purge or invalidate cached entries if the *authoritative* DNS servers drop the domain. Thus, “ghost” domains live on till manual cache clears or server restarts.

Malware Resurrection:

Attackers can leave payload C2 (command & control) domains for malware active living on Deadwood caches.

Wide Reach:

Any network (enterprise, ISP, home) with Deadwood stays vulnerable until their resolver reloads or the vulnerability is patched.

Upgrade Immediately:

Deadwood Patch Info — Versions after 3.5.0021 address the issue.

Don’t Rely on Deadwood for Sensitive Networks:

Consider more feature-rich, security-focused DNS resolvers (e.g., Unbound, BIND) with robust ghost domain mitigations.

References

- NVD: CVE-2022-30256
- MaraDNS Home
- Original Bug Report (Mailing List)
- Technical Advisory on Ghost Domains
- Deadwood ChangeLog

Conclusion

CVE-2022-30256 highlights how DNS — the backbone of web navigation — can still harbor dangerous, subtle flaws, even in simple, trusted software like MaraDNS Deadwood. If you’re running a vulnerable version, upgrade now, clear caches, and stay vigilant. The ghost of revoked and malicious domains is all too real, but with prompt patching, we can put it to rest.

Timeline

Published on: 11/19/2022 00:15:00 UTC
Last modified on: 06/19/2023 13:15:00 UTC