Question

Question About Domain Name Hijacking Vulnerability

Posted February 1, 2016 3k views
Networking DNS

What stops me from:

  1. Running whois on a list of domain names
  2. Saving those that point to Digital Ocean name servers ex: Name Server: NS1.DIGITALOCEAN.COM Name Server: NS2.DIGITALOCEAN.COM Name Server: NS3.DIGITALOCEAN.COM
  3. Setting up A name entries for all of them on a digital ocean account

If any of them have accounts that have lapsed (or otherwise just haven’t been set up yet) on Digital Ocean they will now point to my server.

This seems like a super easy (and fun!) way to hijack domain names.

in fact, I think this just recently happened to a domain name of mine (not really an issue, but made me wonder how this is possible).

how do i protect against this?

Add a comment
9817ba2ab7d7f87330b14a7c632ed0f81c8bd149
By:
jonah
Add a comment
3 comments
  • vedalken254 February 1, 2016
    Reply Report

    This seems like more a question for DO support versus the community but the main thing is that your domain at the registrar level shouldn’t be pointed at DigitalOcean Name Server until after you have everything set up through the DNS Control Panel for that domain. If the account is suspended for non-payment or something, the account still exists and thus the DNS records and domain zones still exist by proxy. I’m willing to bet DigitalOcean would prevent multiple accounts from registering the same domain on their name servers.

    TL;DR: Never point registrar to DO name servers until you’ve set up the domain on DO’s DNS management panel.

  • jonah February 1, 2016
    Reply Report

    I’m willing to bet DigitalOcean would prevent multiple accounts from registering the same domain on their name servers.

    You’re right. There seems to be a validation on this.

    If I was really driven, then I would just search for domains that were pointed to DO name servers, but returned something like a GoDaddy or Namecheap “parked domain” page. I can bet that those are certainly not set up on DO yet.

    I wonder how many people this affects.

  • vedalken254 February 5, 2016
    Reply Report

    well if they’re pointed at DO name servers, Parked pages don’t exist. Parked pages are only if the DNS is hosted at the registrar and you’d have to be almost robotically fast to detect the shift in Name servers, but that would cause WHOIS record spam filters to trigger.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

2 answers
jarland February 2, 2016

Hi there!

It’s a great question and I wanted to post some of my answer here. Basically we do prevent other users from adding a domain that you have already added, and that includes subdomains. So for example if you add example.com someone else cannot come along and add subdomain.example.com to their account.

Now if you’ve pointed your domain to our nameservers and haven’t added that domain to your account with us, someone can come along and add that domain to their account and point it to wherever they like. This is absolutely true. This is why I would echo what delrakkin254 said above, never point your domain to a DNS service unless you’ve registered that domain with the service. This is typically true of most (if not all) DNS services, at least all of the ones I’ve personally used. Certainly “Because everyone does it” isn’t a reason to stick with it though, if it becomes a problem we definitely want to address it. We also don’t want to make our DNS system a significant inconvenience for everyone, so there’s a balance to be had.

Of course, if someone is pointing their nameservers to us and they haven’t added the domain to their account, then they find that someone has hijacked the domain, I am very interested in this. Please open a ticket and let us know. Obviously taking advantage of our customers for malicious activity or for personal gain is going to interest us significantly and rest assured that we’ll always be here to review any situation and consider any appropriate resolution.

We always try to take the human approach. If something is bothering our customers we definitely want to know about it. I hope that answers your questions and we’re here if you need anything :)

Kind Regards,
Jarland Donnell

Reply Report
  • vedalken254 February 5, 2016

    Thanks for posting, Jarland! Excellent way of putting it (probably a lot better than my TL;DR could ever be but that’s kinda the point of a TL;DR) and yeah… Forgot to change my community name over to match IRC… I failed. :(

    Reply Report
hphuhtin December 17, 2016

I just stumbled on the same issue. This is quite serious IMO. I can take any domain that is not setup on DigitalOcean’s DNS yet (wether it was mine or not) and publish DNS records for it.

This means that no one should use Digital Ocean’s DNS servers for resolvers. They are ok to use to serve as your own domain’s DNS, but as a resolver they can’t be trusted AT ALL.

It would be so easy to prevent this, too. Just require a proof of domain ownership for domains that already exist in the DNS system, by adding a TXT record with a code given by Digital Ocean.

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help