Question

Is Digital Ocean safe against DNS hacks?

Posted October 23, 2014 2.8k views

These three questions may be naive and stemming from my cursory understanding of DNS.

Let’s say I register mydomain.com at a third party registrar and I point it to the Digital Ocean name servers.

Someone finds out about the domain name and the fact that it’s directed to Digital Ocean name servers. Before I had a chance to create an A record pointing to my droplet’s IP address, this person maliciously creates an A record pointing to his own Digital Ocean VPS. It is an unlikely scenario, but I am crazy to say that it would be possible for someone to hijack another person’s brand new domain name this way?

Second question is this. Let’s say I have an existing site running on my droplet. A malicious Digital Ocean customer sets up a duplicate A record pointing to his own IP address. What would happen in this scenario? Do A records work as first-come-first serve?

Third question is this. A Digital Ocean customer sets up an A record for mydomain.com but forgets to setup CNAME for www.mydomain.com. A malicious user sets up the CNAME pointing to his own IP address. what happens in this case?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

You should add the domain to your account under “DNS” before pointing your domain to DO’s name servers. All other questions are not applicable, only you can make changes to your domains DNS.

I can tell you what happens because this just happened to me and I’m still waiting on DO to respond and help. “A malicious Digital Ocean customer” DID hijack my domain, and they are using it for nefarious purposes (crypto fraud is what the security company says). And I cannot regain control because DO won’t allow me to reconfigure my domain, the crook already has control of it within DO’s systems. I could revise the top-level DNS records, but the damage to brand and reputation is already done, our product is already in development and tightly tied to the domain/product name. Plus, I want DO support to investigate and see what is happening before I make the TLD record changes. This isn’t some careless mistake on the “malicious DO customer’s” part. It is indeed malicious, and once they’ve taken control you’re really at the mercy of DO to do something about it. You could change your top-level records to point to another service provider, but if you’re well entrenched as a DO customer yourself, you’re just stuck till they resolve it.

Woet’s point is correct, but it’s still an easy mistake for a good customer to make, and there needs to be something in place that stops their bad customers from damaging their good customers.

Submit an Answer