Question About Domain Name Hijacking Vulnerability

February 1, 2016 734 views
Networking DNS

What stops me from:

  1. Running whois on a list of domain names
  2. Saving those that point to Digital Ocean name servers ex: Name Server: NS1.DIGITALOCEAN.COM Name Server: NS2.DIGITALOCEAN.COM Name Server: NS3.DIGITALOCEAN.COM
  3. Setting up A name entries for all of them on a digital ocean account

If any of them have accounts that have lapsed (or otherwise just haven't been set up yet) on Digital Ocean they will now point to my server.

This seems like a super easy (and fun!) way to hijack domain names.

in fact, I think this just recently happened to a domain name of mine (not really an issue, but made me wonder how this is possible).

how do i protect against this?

  • This seems like more a question for DO support versus the community but the main thing is that your domain at the registrar level shouldn't be pointed at DigitalOcean Name Server until after you have everything set up through the DNS Control Panel for that domain. If the account is suspended for non-payment or something, the account still exists and thus the DNS records and domain zones still exist by proxy. I'm willing to bet DigitalOcean would prevent multiple accounts from registering the same domain on their name servers.

    TL;DR: Never point registrar to DO name servers until you've set up the domain on DO's DNS management panel.

  • I'm willing to bet DigitalOcean would prevent multiple accounts from registering the same domain on their name servers.

    You're right. There seems to be a validation on this.

    If I was really driven, then I would just search for domains that were pointed to DO name servers, but returned something like a GoDaddy or Namecheap "parked domain" page. I can bet that those are certainly not set up on DO yet.

    I wonder how many people this affects.

  • well if they're pointed at DO name servers, Parked pages don't exist. Parked pages are only if the DNS is hosted at the registrar and you'd have to be almost robotically fast to detect the shift in Name servers, but that would cause WHOIS record spam filters to trigger.

1 Answer

Hi there!

It's a great question and I wanted to post some of my answer here. Basically we do prevent other users from adding a domain that you have already added, and that includes subdomains. So for example if you add example.com someone else cannot come along and add subdomain.example.com to their account.

Now if you've pointed your domain to our nameservers and haven't added that domain to your account with us, someone can come along and add that domain to their account and point it to wherever they like. This is absolutely true. This is why I would echo what delrakkin254 said above, never point your domain to a DNS service unless you've registered that domain with the service. This is typically true of most (if not all) DNS services, at least all of the ones I've personally used. Certainly "Because everyone does it" isn't a reason to stick with it though, if it becomes a problem we definitely want to address it. We also don't want to make our DNS system a significant inconvenience for everyone, so there's a balance to be had.

Of course, if someone is pointing their nameservers to us and they haven't added the domain to their account, then they find that someone has hijacked the domain, I am very interested in this. Please open a ticket and let us know. Obviously taking advantage of our customers for malicious activity or for personal gain is going to interest us significantly and rest assured that we'll always be here to review any situation and consider any appropriate resolution.

We always try to take the human approach. If something is bothering our customers we definitely want to know about it. I hope that answers your questions and we're here if you need anything :)

Kind Regards,
Jarland Donnell

  • Thanks for posting, Jarland! Excellent way of putting it (probably a lot better than my TL;DR could ever be but that's kinda the point of a TL;DR) and yeah... Forgot to change my community name over to match IRC... I failed. :(

Have another answer? Share your knowledge.