Ghost Domain Reloaded: Vulnerable Links in Domain Name Delegation and Revocation
Abstract
In this paper, we propose Phoenix Domain, a general and novel attack that allows adversaries to maintain the revoked malicious domain continuously resolvable at scale, which enables an old, mitigated attack, Ghost Domain. Phoenix Domain has two variations and affects all mainstream DNS software and public DNS resolvers overall because it does not violate any DNS specifications and best security practices. The attack is made possible through systematically “reverse engineer” the cache operations of 8 DNS implementations, and new attack surfaces are revealed in the domain name delegation processes. We select 41 well-known public DNS resolvers and prove that all surveyed DNS services are vulnerable to Phoenix Domain, including Google Public DNS and Cloudflare DNS. Extensive measurement studies are performed with 210k stable and distributed DNS recursive resolvers, and results show that even after one month from domain name revocation and cache expiration, more than 25% of recursive resolvers can still resolve it. The proposed attack provides an opportunity for adversaries to evade the security practices of malicious domain take-down. We have reported discovered vulnerabilities to all affected vendors and suggested 6 types of mitigation approaches to them. Until now, 7 DNS software providers and 15 resolver vendors, including BIND, Unbound, Google, and Cloudflare, have confirmed the vulnerabilities, and some of them are implementing and publishing mitigation patches according to our suggestions. In addition, 9 CVE numbers have been assigned. The study calls for standardization to address the issue of how to revoke domain names securely and maintain cache consistency.
San Diego, CA, USA. Feb 27 - Mar 3, 2023.
(Acceptance rate: 17.4%)
Overview
In this paper, we propose Phoenix Domain, a general and novel attack that allows adversaries to maintain the revoked malicious domain continuously resolvable at scale, which enables an old, mitigated attack, Ghost Domain.Phoenix Domain: https://phoenixdomain.net/
CVEs (9 in total)
Qifan Zhang
Senior Staff Researcher
Dr. Qifan Zhang (张起帆) is now a Senior Staff Researcher of Palo Alto Networks. His research focuses on safeguarding critical internet infrastructure and addressing emerging threats in networked systems. His work centers on Network Security, with deep expertise in the Domain Name System (DNS)—the backbone of internet communication. By combining protocol analysis, fuzzing techniques, and formal methods, he designs automated tools to uncover high-risk vulnerabilities in DNS implementations and standards.
One of his flagship projects, ResolverFuzz, is a novel testing framework that exposed critical flaws in widely deployed DNS resolvers, including protocol-level security gaps (e.g., cache poisoning) and implementation errors (e.g., memory corruption). These discoveries have directly strengthened cybersecurity practices for the industry, open-source communities, and public infrastructure providers, earning recognition from organizations like CERT/CC and CVE.
Beyond DNS, he also explores the intersection of AI and Security, investigating risks in real-world machine learning deployments. My research, published in ACSAC 2022, demonstrated the first practical model extraction attacks against autonomous vehicle (AV) systems, using gradient-descent-based methods to reverse-engineer proprietary AI models. This work underscores the urgent need for robust defenses in safety-critical AI applications.
Prior to Palo Alto Networks, he earned his Ph.D. in Computer Engineering from University of California, Irvine advised by Prof. Zhou Li in 2025, and B.Eng. in Computer Science and Technology from ShanghaiTech University in 2020, complemented by a summer session at the University of California, Berkeley in 2017.
Pronunciation of his name: Chee-Fan Jang.
His Curriculum Vitae (last updated on March 14, 2025)