Question
Question About Domain Name Hijacking Vulnerability
- Posted on February 1, 2016
- NetworkingDNS
Asked by jonah
What stops me from:
- Running whois on a list of domain names
- Saving those that point to Digital Ocean name servers ex: Name Server: NS1.DIGITALOCEAN.COM Name Server: NS2.DIGITALOCEAN.COM Name Server: NS3.DIGITALOCEAN.COM
- Setting up A name entries for all of them on a digital ocean account
If any of them have accounts that have lapsed (or otherwise just haven’t been set up yet) on Digital Ocean they will now point to my server.
This seems like a super easy (and fun!) way to hijack domain names.
in fact, I think this just recently happened to a domain name of mine (not really an issue, but made me wonder how this is possible).
how do i protect against this?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Want to learn more? Join the DigitalOcean Community!
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
Hi there!
It’s a great question and I wanted to post some of my answer here. Basically we do prevent other users from adding a domain that you have already added, and that includes subdomains. So for example if you add example.com someone else cannot come along and add subdomain.example.com to their account.
Now if you’ve pointed your domain to our nameservers and haven’t added that domain to your account with us, someone can come along and add that domain to their account and point it to wherever they like. This is absolutely true. This is why I would echo what delrakkin254 said above, never point your domain to a DNS service unless you’ve registered that domain with the service. This is typically true of most (if not all) DNS services, at least all of the ones I’ve personally used. Certainly “Because everyone does it” isn’t a reason to stick with it though, if it becomes a problem we definitely want to address it. We also don’t want to make our DNS system a significant inconvenience for everyone, so there’s a balance to be had.
Of course, if someone is pointing their nameservers to us and they haven’t added the domain to their account, then they find that someone has hijacked the domain, I am very interested in this. Please open a ticket and let us know. Obviously taking advantage of our customers for malicious activity or for personal gain is going to interest us significantly and rest assured that we’ll always be here to review any situation and consider any appropriate resolution.
We always try to take the human approach. If something is bothering our customers we definitely want to know about it. I hope that answers your questions and we’re here if you need anything :)
Kind Regards, Jarland Donnell
This just happened to me, and I’m awaiting DO’s response for assistance. Their other customer, who hijacked my domain is using it for “cryptocurrency fraud” according to some security company. This really sucks because our intent was to develop a family friendly game. Now, the site will possibly be blacklisted and cost us time and money to rebrand. Since our domain is very tightly tied to the product under development, it goes far beyond just website and name changing. I get it, how they did it, now. And, how we could have avoided it happening. I just wasn’t clever enough I suppose to have foreseen this or more, I hadn’t considered that a customer at a reputable company like DO would do such a nasty, dare I say criminal, thing.
I just stumbled on the same issue. This is quite serious IMO. I can take any domain that is not setup on DigitalOcean’s DNS yet (wether it was mine or not) and publish DNS records for it.
This means that no one should use Digital Ocean’s DNS servers for resolvers. They are ok to use to serve as your own domain’s DNS, but as a resolver they can’t be trusted AT ALL.
It would be so easy to prevent this, too. Just require a proof of domain ownership for domains that already exist in the DNS system, by adding a TXT record with a code given by Digital Ocean.