CVE-2022-30256 in MaraDNS Deadwoodinfo

Summary

by MITRE • 11/19/2022

An issue was discovered in MaraDNS Deadwood through 3.5.0021 that allows variant V1 of unintended domain name resolution. A revoked domain name can still be resolvable for a long time, including expired domains and taken-down malicious domains. The effects of an exploit would be widespread and highly impactful, because the exploitation conforms to de facto DNS specifications and operational practices, and overcomes current mitigation patches for "Ghost" domain names.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 05/29/2026

The vulnerability CVE-2022-30256 affects MaraDNS Deadwood versions through 3.5.0021 and represents a critical flaw in domain name resolution behavior that undermines fundamental security assumptions. This issue manifests as variant V1 of unintended domain name resolution, where revoked domains maintain resolvability for extended periods despite being expired or taken down. The flaw exploits the inherent design of DNS resolution mechanisms, allowing attackers to leverage previously valid domain names that should no longer be accessible through normal operational procedures. The vulnerability operates within the established DNS protocol framework, making it particularly insidious as it conforms to de facto specifications rather than introducing novel attack vectors. This characteristic means that existing security controls and mitigation strategies designed to address similar "Ghost" domain name issues prove ineffective against this specific implementation flaw.

The technical implementation of this vulnerability stems from how Deadwood handles domain name resolution caching and validation processes. When domain names are revoked through expiration or administrative removal, the system continues to serve cached responses for these domains without proper validation of their current status. This behavior creates a window of opportunity where malicious actors can continue to use compromised or removed domains for nefarious purposes, including phishing attacks, command and control communications, or other malicious activities that rely on domain name persistence. The extended timeframe during which these revoked domains remain resolvable creates a significant operational risk, as security teams may not immediately detect that previously compromised domains are still accessible through affected DNS servers.

The operational impact of CVE-2022-30256 extends far beyond simple domain resolution failures, as it fundamentally compromises the integrity of DNS-based security controls. Organizations relying on DNS filtering, threat intelligence feeds, or domain-based access controls face significant challenges when revoked domains continue to resolve through affected systems. This vulnerability undermines the effectiveness of security measures designed to prevent access to malicious domains, creating potential entry points for attackers who can leverage these persistent domain names for various cyber operations. The widespread nature of DNS infrastructure means that a single vulnerable Deadwood installation can affect numerous downstream systems and users, potentially allowing attackers to maintain persistent access through previously revoked domain names. This flaw particularly impacts organizations with robust security postures that depend on timely domain revocation and removal from DNS resolution systems.

Mitigation strategies for CVE-2022-30256 require immediate attention to update affected Deadwood installations to versions that address this specific domain resolution behavior. Organizations should implement comprehensive monitoring of their DNS resolution systems to detect unusual patterns in revoked domain access and establish automated alerts for persistent resolution of known compromised domains. The fix addresses the core caching and validation mechanisms that allow expired or revoked domains to remain resolvable, ensuring that proper status checks occur before serving DNS responses. Security teams should also review their existing DNS security configurations and implement additional validation layers that can detect and prevent resolution of domains that should no longer be accessible. This vulnerability highlights the importance of proper domain lifecycle management and the need for DNS servers to implement robust validation processes that align with established security standards and best practices. The issue demonstrates how seemingly minor implementation details in DNS resolution can create significant security gaps that require careful attention and systematic remediation approaches.

Reservation

05/04/2022

Disclosure

11/19/2022

Moderation

accepted

CPE

ready

EPSS

0.00890

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!