Domain Name System (DNS) servers play the critical role of translating human-friendly domain names, like example.com, into computer-friendly IP addresses. When a domain expires or is revoked—especially those used for malicious purposes—we expect it to become inaccessible. However, the discovery of CVE-2022-30257 in Technitium DNS Server up to version 8..2 breaks this assumption in a big way.

In this post, we'll explain CVE-2022-30257 in simple terms: what it is, why it exists, how attackers could abuse it, and why the normal protections don't work. We'll include a code snippet for context, and provide links to original sources.

What is CVE-2022-30257?

CVE-2022-30257 is a vulnerability in Technitium DNS Server (versions through 8..2) that allows an attacker—or even just a normal DNS user—to resolve domain names that should no longer be active. This includes domains that were revoked (e.g., after being used for malware or phishing), expired, or otherwise intentionally taken down.

Instead of showing a "Domain not found" error or similar, the DNS server can keep serving the old IP address of that domain, sometimes for weeks or even longer.

How Does It Work?

The root problem is with *how* the Technitium DNS Server caches DNS records, including negative responses (the "not found" answers).

You ask the DNS server for bad-domain.com (which was taken down a week ago).

2. The Technitium DNS Server *already remembers* the last valid answer for bad-domain.com (even though it's outdated).
3. Instead of querying the upstream authoritative servers, or honoring the expiration of the old record, Technitium just gives you *the old answer* it has cached.

This means:
If a domain was previously used for malware, and then revoked, it can still be accessed through the Technitium DNS, because it "remembers" the old mapping—even after upstream DNS records are gone.

Code Snippet: Simplified Caching Flow

Here’s a stripped-down version of how such a problem could occur in code (not the actual Technitium source, but illustrative):

// Hypothetical DNS caching code

// DNSCache is a Dictionary<string, DNSRecord>
if (DNSCache.ContainsKey(requestedDomain)) {
    // PROBLEM: Not checking expiration
    return DNSCache[requestedDomain];
}

// Otherwise, ask authoritative server
DNSRecord result = QueryUpstream(requestedDomain);

// Store in cache
DNSCache[requestedDomain] = result;

return result;

The mistake:
A proper DNS server should check if the cache entry is *fresh*. When a domain expires, or the cache entry's TTL (time-to-live) passes, it should be discarded—or at least checked against the upstream server. Technitium DNS Server through 8..2 does not reliably do this, especially for certain edge cases with negative (or "NXDOMAIN") responses.

Persistence of Malicious Domains:

Domains used for malware, botnets, or phishing can be taken down at the top level, but will continue to be reachable through vulnerable Technitium DNS servers.

Bypasses Usual Mitigations:

Existing defenses like "Ghost domain" patches, which try to wipe cached entries, don’t cover this variation (called V1) of unintended domain resolution.

Widespread Impact:

Any network using the vulnerable Technitium DNS server can accidentally help attackers, by making expired or dangerous domains resolvable long after they’ve been killed elsewhere.

Follows Spec (Sort of):

The bug fits within the loose implementation rules of DNS. Technitium’s caching is “allowed” under current DNS de facto specifications and operational practices—which means other DNS servers could have similar issues.

Victim visits site, is infected.

Security community reports the domain; the registrar revokes it; upstream authoritative DNS entries are removed.

Victim (or others) using Technitium DNS Server (<= 8..2) still have the old IP in cache.

4. Attacker re-registers the domain, or waits for cache to empty. But due to this vulnerability, access persists:

Devices still resolve and contact the server, even after the world believes the domain is gone.

5. Security tools/tracers see ongoing “Zombie” traffic, despite the domain being “dead.”

Proof-of-Concept (Pseudo Exploit)

# 1. User sets up Technitium DNS Server with default config
# 2. Query domain that is about to expire
nslookup bad-domain.com <technitium-dns-server-ip>
# ... domain is returned ...

# 3. Upstream authoritative DNS removes bad-domain.com
# 4. Technitium DNS Server still resolves:
nslookup bad-domain.com <technitium-dns-server-ip>
# ... old IP is returned -- weeks later!

References and More Info

- CVE-2022-30257 at NVD
- Technitium DNS Server project
- Security Advisory (Original Report, technitium.com)
- Background on Ghost Domains and Negative Caching
- Understanding DNS TTL and Negative Caching

Lower your cache lifetimes (TTL) as a stop-gap, though this is not a full solution.

- Monitor for unexpected domain resolutions, especially for expired/malicious domains.

Conclusion

CVE-2022-30257 is a prime example of how real-world complexity and loose specifications in DNS can open the door for security loopholes. While simple, it shows how attackers can revive “dead” domains and keep malicious operations alive—even after blacklisting and takedown efforts.

Stay sharp. Monitor your DNS servers. And always keep systems updated, especially when the fix is just a download away.


*This write-up is exclusive, aimed at making a technical but often-overlooked bug in DNS servers accessible to everyone, with practical info and direct links.*

Timeline

Published on: 11/21/2022 22:15:00 UTC
Last modified on: 11/28/2022 18:02:00 UTC