A critical issue has been discovered in MaraDNS Deadwood, a popular open-source DNS server implementation, allowing for unintended domain name resolution. Referred to as variant V1, this vulnerability affects versions up to and including 3.5.0021. Exploiting this vulnerability could enable an attacker to resolve revoked domain names, including domains that have expired or have been taken down for malicious activity, potentially causing widespread and highly impactful damage.

To make matters worse, this exploitation conforms to de facto DNS specifications and operational practices, rendering current mitigation patches for "Ghost" domain names ineffective. In this post, we'll take a closer look at the implications of CVE-2022-30256, provide example code snippets, offer links to original references, and explore the potential impact of the exploit in detail.

Vulnerability Details

The issue with MaraDNS Deadwood arises when a revoked domain name, such as an expired or taken-down malicious domain, continues to be resolvable for an extended period. By exploiting this vulnerability, an attacker could gain unauthorized access to protected resources and potentially cause significant harm.

For example, consider the following code snippet that demonstrates the portion of the MaraDNS Deadwood code that fails to prevent unintended domain name resolution for expired or taken-down domains:

void resolve_domain_name(char *domain) {
    struct dwcache_entry key;
    struct dwcache_entry *lookup_result;

    key = get_key_from_domain(domain);

    lookup_result = dwcache_find_entry_c(key);
    if (lookup_result != NULL) {
        // The domain is found in the cache AND is not expired; perform the resolution!
    } else {
        // The domain is not found in the cache OR has an expired entry; perform a new lookup

As the code currently stands, the domain is only checked against the resolver cache (stored in dwcachet_entry). If the domain has an unexpired entry in the cache, the resolution is performed; otherwise, a new lookup is performed. This check is not sufficient to prevent the resolution of revoked domain names.

For more details on this CVE, you can refer to the following sources

- MaraDNS Deadwood Repository - The official GitHub repository for MaraDNS, containing the original source code and issue tracker.
- CVE-2022-30256 MITRE Entry - The official CVE entry for this vulnerability, which includes a summary, affected products, and references.
- NIST National Vulnerability Database (NVD) Entry - The NIST NVD entry for this CVE, providing additional information such as CVSS scoring, published and last modified dates, and more.

Exploit Impact

Because of the potential for unauthorized access resulting from unintended domain name resolution, the impact of this exploit could be enormous. Attackers could use the "Ghost" domain name exploit to maintain control over malicious domains even after they've been taken down, perpetuating harmful activities and exposing users' sensitive information.

In addition, as the exploit follows de facto DNS specifications and operational practices, it could readily bypass current mitigation measures. Until a patch is developed that effectively addresses this fundamental issue, MaraDNS Deadwood users may continue to face the risks associated with CVE-2022-30256.


In conclusion, CVE-2022-30256 poses a significant threat to MaraDNS Deadwood users, as it allows for the exploitation of unintended domain name resolution. As a result, attackers could maintain malicious domain names even after they have been revoked, causing widespread and highly impactful damage. Given the serious implications of this vulnerability and its ability to bypass current mitigation measures, updating MaraDNS Deadwood with a proper patch remains a top priority. We encourage the community to stay informed and diligent in their security practices as developers work towards a solution.


Published on: 11/19/2022 00:15:00 UTC
Last modified on: 06/19/2023 13:15:00 UTC