### Rating (1--4): + 2: Weak Reject -- This paper has good ideas, but would need additional work to be a top-tier paper ### What did this paper do well? + The paper has a good measurement scale of study (Alexa top 10,000; 2700 edu and 1700 gov zones for several years) - claimed to be the first comprehensive study on dangling DNS records + Revealing main causes for dangling domains as well as sub-domains ### Where did this paper fall short? + About cloud attack vector, I do not consider it a true threat because the IP pools are controlled by the cloud provider. In the case of Amazon AWS, it is not a nice thing to loose your elastic IP. However, since the other party has to purchase the same service (adhering to the same usage agreement), it would not be wise for that party to serve something malicious with that IP. + Marketshare of Azure is not significantly lower than that of AWS. (29.4% vs 41.5%) so there is definitely something to be improved with the harvested domain name list. + Except for some straight-forward charts, I do not see any interesting statistics into how dangling records can lead to further security problems. For example, there was no statistic in Active Cookie Stealing nor Phishing. I mean dangling records is not a new and I am expecting many new statistics that can help me identify emerging risks this old category of mistakes may cause. ### What did you learn from reading this paper? + 3 attack vectors for dangling DNS records : 1. physical cloud resources 2. third-party services 3. Recently expired domains + Dangling CN is the top category (with great distance from others) + archive.org can be utilized to confirm dangling DNS records (yet another proof for the needs of archive.org) ### What questions do you have about the paper or the area? + If domain owners renew domain contract with the provider on the day the domain expires, how soon that change will be reflected in WHOIS db ? + How costly is it for DNS to frequently check domains that it points to ? (considering DNS servers deal with a lot of domain names) + How fast can adversaries exploit dangling records for phishing, cookie stealing? (based on statistics)
