Question About Domain Name Hijacking Vulnerability

Posted February 1, 2016 4.3k views

What stops me from:

  1. Running whois on a list of domain names
  2. Saving those that point to Digital Ocean name servers ex: Name Server: NS1.DIGITALOCEAN.COM Name Server: NS2.DIGITALOCEAN.COM Name Server: NS3.DIGITALOCEAN.COM
  3. Setting up A name entries for all of them on a digital ocean account

If any of them have accounts that have lapsed (or otherwise just haven’t been set up yet) on Digital Ocean they will now point to my server.

This seems like a super easy (and fun!) way to hijack domain names.

in fact, I think this just recently happened to a domain name of mine (not really an issue, but made me wonder how this is possible).

how do i protect against this?

  • This seems like more a question for DO support versus the community but the main thing is that your domain at the registrar level shouldn’t be pointed at DigitalOcean Name Server until after you have everything set up through the DNS Control Panel for that domain. If the account is suspended for non-payment or something, the account still exists and thus the DNS records and domain zones still exist by proxy. I’m willing to bet DigitalOcean would prevent multiple accounts from registering the same domain on their name servers.

    TL;DR: Never point registrar to DO name servers until you’ve set up the domain on DO’s DNS management panel.

  • I’m willing to bet DigitalOcean would prevent multiple accounts from registering the same domain on their name servers.

    You’re right. There seems to be a validation on this.

    If I was really driven, then I would just search for domains that were pointed to DO name servers, but returned something like a GoDaddy or Namecheap “parked domain” page. I can bet that those are certainly not set up on DO yet.

    I wonder how many people this affects.

  • well if they’re pointed at DO name servers, Parked pages don’t exist. Parked pages are only if the DNS is hosted at the registrar and you’d have to be almost robotically fast to detect the shift in Name servers, but that would cause WHOIS record spam filters to trigger.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
3 answers

Hi there!

It’s a great question and I wanted to post some of my answer here. Basically we do prevent other users from adding a domain that you have already added, and that includes subdomains. So for example if you add someone else cannot come along and add to their account.

Now if you’ve pointed your domain to our nameservers and haven’t added that domain to your account with us, someone can come along and add that domain to their account and point it to wherever they like. This is absolutely true. This is why I would echo what delrakkin254 said above, never point your domain to a DNS service unless you’ve registered that domain with the service. This is typically true of most (if not all) DNS services, at least all of the ones I’ve personally used. Certainly “Because everyone does it” isn’t a reason to stick with it though, if it becomes a problem we definitely want to address it. We also don’t want to make our DNS system a significant inconvenience for everyone, so there’s a balance to be had.

Of course, if someone is pointing their nameservers to us and they haven’t added the domain to their account, then they find that someone has hijacked the domain, I am very interested in this. Please open a ticket and let us know. Obviously taking advantage of our customers for malicious activity or for personal gain is going to interest us significantly and rest assured that we’ll always be here to review any situation and consider any appropriate resolution.

We always try to take the human approach. If something is bothering our customers we definitely want to know about it. I hope that answers your questions and we’re here if you need anything :)

Kind Regards,
Jarland Donnell

  • Thanks for posting, Jarland! Excellent way of putting it (probably a lot better than my TL;DR could ever be but that’s kinda the point of a TL;DR) and yeah… Forgot to change my community name over to match IRC… I failed. :(

  • Hi Jarland.

    Seems this is still an issue a few years on.
    I just raised a ticket about literally this issue - (ticket #03506506)

    Timeline -
    I was emailed by Netcraft last week about one of our domains hosting malware. Given that we weren’t hosting it at the time, I was like, whaaaaat.

    We default our DNS to DO servers, as we typically add here once we’re ready to go live.
    Guess I need to stop doing that!

    It’s an interesting exploit. Find a domain thats not currently hosted, but is pointed at you, and create dns for it. I wouldn’t have thought it would have been worth it, but obviously it is.

    To be honest, I was more impressed that this was a thing, than annoyed one of our domains had been abused.

    Would be nice if I could get some feedback about you finding / nuking the bad actor, as they would have a login at DO in order to setup DNS in the first place, but thats up to you.

    Good hunting!

  • Hi. Jarland. I did found out someone hijacked my domain, and just opened up a ticket about this issue.

I just stumbled on the same issue. This is quite serious IMO. I can take any domain that is not setup on DigitalOcean’s DNS yet (wether it was mine or not) and publish DNS records for it.

This means that no one should use Digital Ocean’s DNS servers for resolvers. They are ok to use to serve as your own domain’s DNS, but as a resolver they can’t be trusted AT ALL.

It would be so easy to prevent this, too. Just require a proof of domain ownership for domains that already exist in the DNS system, by adding a TXT record with a code given by Digital Ocean.

This just happened to me, and I’m awaiting DO’s response for assistance. Their other customer, who hijacked my domain is using it for “cryptocurrency fraud” according to some security company. This really sucks because our intent was to develop a family friendly game. Now, the site will possibly be blacklisted and cost us time and money to rebrand. Since our domain is very tightly tied to the product under development, it goes far beyond just website and name changing. I get it, how they did it, now. And, how we could have avoided it happening. I just wasn’t clever enough I suppose to have foreseen this or more, I hadn’t considered that a customer at a reputable company like DO would do such a nasty, dare I say criminal, thing.