What stops me from:
- Running whois on a list of domain names
- Saving those that point to Digital Ocean name servers ex: Name Server: NS1.DIGITALOCEAN.COM Name Server: NS2.DIGITALOCEAN.COM Name Server: NS3.DIGITALOCEAN.COM
- Setting up A name entries for all of them on a digital ocean account
If any of them have accounts that have lapsed (or otherwise just haven’t been set up yet) on Digital Ocean they will now point to my server.
This seems like a super easy (and fun!) way to hijack domain names.
in fact, I think this just recently happened to a domain name of mine (not really an issue, but made me wonder how this is possible).
how do i protect against this?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Hi there!
It’s a great question and I wanted to post some of my answer here. Basically we do prevent other users from adding a domain that you have already added, and that includes subdomains. So for example if you add example.com someone else cannot come along and add subdomain.example.com to their account.
Now if you’ve pointed your domain to our nameservers and haven’t added that domain to your account with us, someone can come along and add that domain to their account and point it to wherever they like. This is absolutely true. This is why I would echo what delrakkin254 said above, never point your domain to a DNS service unless you’ve registered that domain with the service. This is typically true of most (if not all) DNS services, at least all of the ones I’ve personally used. Certainly “Because everyone does it” isn’t a reason to stick with it though, if it becomes a problem we definitely want to address it. We also don’t want to make our DNS system a significant inconvenience for everyone, so there’s a balance to be had.
Of course, if someone is pointing their nameservers to us and they haven’t added the domain to their account, then they find that someone has hijacked the domain, I am very interested in this. Please open a ticket and let us know. Obviously taking advantage of our customers for malicious activity or for personal gain is going to interest us significantly and rest assured that we’ll always be here to review any situation and consider any appropriate resolution.
We always try to take the human approach. If something is bothering our customers we definitely want to know about it. I hope that answers your questions and we’re here if you need anything :)
Kind Regards, Jarland Donnell
Hi there!
It’s a great question and I wanted to post some of my answer here. Basically we do prevent other users from adding a domain that you have already added, and that includes subdomains. So for example if you add example.com someone else cannot come along and add subdomain.example.com to their account.
Now if you’ve pointed your domain to our nameservers and haven’t added that domain to your account with us, someone can come along and add that domain to their account and point it to wherever they like. This is absolutely true. This is why I would echo what delrakkin254 said above, never point your domain to a DNS service unless you’ve registered that domain with the service. This is typically true of most (if not all) DNS services, at least all of the ones I’ve personally used. Certainly “Because everyone does it” isn’t a reason to stick with it though, if it becomes a problem we definitely want to address it. We also don’t want to make our DNS system a significant inconvenience for everyone, so there’s a balance to be had.
Of course, if someone is pointing their nameservers to us and they haven’t added the domain to their account, then they find that someone has hijacked the domain, I am very interested in this. Please open a ticket and let us know. Obviously taking advantage of our customers for malicious activity or for personal gain is going to interest us significantly and rest assured that we’ll always be here to review any situation and consider any appropriate resolution.
We always try to take the human approach. If something is bothering our customers we definitely want to know about it. I hope that answers your questions and we’re here if you need anything :)
Kind Regards, Jarland Donnell
This just happened to me, and I’m awaiting DO’s response for assistance. Their other customer, who hijacked my domain is using it for “cryptocurrency fraud” according to some security company. This really sucks because our intent was to develop a family friendly game. Now, the site will possibly be blacklisted and cost us time and money to rebrand. Since our domain is very tightly tied to the product under development, it goes far beyond just website and name changing. I get it, how they did it, now. And, how we could have avoided it happening. I just wasn’t clever enough I suppose to have foreseen this or more, I hadn’t considered that a customer at a reputable company like DO would do such a nasty, dare I say criminal, thing.
I just stumbled on the same issue. This is quite serious IMO. I can take any domain that is not setup on DigitalOcean’s DNS yet (wether it was mine or not) and publish DNS records for it.
This means that no one should use Digital Ocean’s DNS servers for resolvers. They are ok to use to serve as your own domain’s DNS, but as a resolver they can’t be trusted AT ALL.
It would be so easy to prevent this, too. Just require a proof of domain ownership for domains that already exist in the DNS system, by adding a TXT record with a code given by Digital Ocean.
This seems like more a question for DO support versus the community but the main thing is that your domain at the registrar level shouldn’t be pointed at DigitalOcean Name Server until after you have everything set up through the DNS Control Panel for that domain. If the account is suspended for non-payment or something, the account still exists and thus the DNS records and domain zones still exist by proxy. I’m willing to bet DigitalOcean would prevent multiple accounts from registering the same domain on their name servers.
TL;DR: Never point registrar to DO name servers until you’ve set up the domain on DO’s DNS management panel.
well if they’re pointed at DO name servers, Parked pages don’t exist. Parked pages are only if the DNS is hosted at the registrar and you’d have to be almost robotically fast to detect the shift in Name servers, but that would cause WHOIS record spam filters to trigger.
You’re right. There seems to be a validation on this.
If I was really driven, then I would just search for domains that were pointed to DO name servers, but returned something like a GoDaddy or Namecheap “parked domain” page. I can bet that those are certainly not set up on DO yet.
I wonder how many people this affects.