Question
Question About Domain Name Hijacking Vulnerability
What stops me from:
- Running whois on a list of domain names
- Saving those that point to Digital Ocean name servers ex: Name Server: NS1.DIGITALOCEAN.COM Name Server: NS2.DIGITALOCEAN.COM Name Server: NS3.DIGITALOCEAN.COM
- Setting up A name entries for all of them on a digital ocean account
If any of them have accounts that have lapsed (or otherwise just haven’t been set up yet) on Digital Ocean they will now point to my server.
This seems like a super easy (and fun!) way to hijack domain names.
in fact, I think this just recently happened to a domain name of mine (not really an issue, but made me wonder how this is possible).
how do i protect against this?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
This seems like more a question for DO support versus the community but the main thing is that your domain at the registrar level shouldn’t be pointed at DigitalOcean Name Server until after you have everything set up through the DNS Control Panel for that domain. If the account is suspended for non-payment or something, the account still exists and thus the DNS records and domain zones still exist by proxy. I’m willing to bet DigitalOcean would prevent multiple accounts from registering the same domain on their name servers.
TL;DR: Never point registrar to DO name servers until you’ve set up the domain on DO’s DNS management panel.
You’re right. There seems to be a validation on this.
If I was really driven, then I would just search for domains that were pointed to DO name servers, but returned something like a GoDaddy or Namecheap “parked domain” page. I can bet that those are certainly not set up on DO yet.
I wonder how many people this affects.
well if they’re pointed at DO name servers, Parked pages don’t exist. Parked pages are only if the DNS is hosted at the registrar and you’d have to be almost robotically fast to detect the shift in Name servers, but that would cause WHOIS record spam filters to trigger.