from Hacker News

Don’t let your domain name become a sitting duck

by mfkp on 8/1/24, 2:00 AM with 91 comments

  • by Neil44 on 8/1/24, 12:53 PM

    So you point your nameservers at a third party, let your account with that third party expire, then someone later on can create an account at third party and resume control of the DNS zone? I mean yeah, but you mustn't care much about the domain and any credibility it has will evaporate quickly.

  • by metadat on 8/1/24, 6:05 AM

    From TFA:

    > There is a frequently updated list published on GitHub called “Can I take over DNS,” which has been documenting exploitability by DNS provider over the past several years.

    https://github.com/indianajson/can-i-take-over-dns

    Whoa, names like Digital Ocean, Google Cloud, Linode, Hurricane Electric - all classified as fully vulnerable.

  • by Brajeshwar on 8/1/24, 6:32 AM

    UK.GOV has a good guide on "Keeping your domain name secure." https://www.gov.uk/guidance/keeping-your-domain-name-secure

  • by amiga386 on 8/1/24, 3:59 PM

    This is how I understand the exploit, can someone please confirm if I have the right idea?

    1. I register a domain name -- example.com -- with a registrar like NameCheap. They tell Network Solutions (the .com registry) to add records on my behalf like below, which means the rest of the internet asks NameCheap's nameservers when they want to look up my domain.

        example.com. 172800 IN NS ns1.namecheaphosting.com
    example.com. 172800 IN NS ns2.namecheaphosting.com
    2. For no reason, I ask NameCheap to change those NS records to another company's nameservers, such as Hurricane Electric, which I am NOT a customer of

        example.com. 172800 IN NS ns1.he.net
    example.com. 172800 IN NS ns2.he.net
    3. Hurricane Electric (HE) are "exploitable"; one of their customers claims to be tranferring a domain to HE, example.com (my domain!), HE doesn't verify the actual ownership and they let it happen.

    4. Now this HE customer has control over my domain... because I told my registrar to change the NS records to HE's nameservers. Why would I ever do that?

    My understanding is this should never happen, I have no reason why I'd want to make such a change. ICANN have a policy on domain transfer between registrars: https://www.icann.org/resources/pages/transfer-policy-2016-0... -- and transferring a domain should only be done with the gaining registrar (HE in my example) putting an explicit request to the losing registar (NameCheap in my example), and the losing registrar getting to decide yes or no to the transfer.

    So... how are there a million or more domains at risk this way? Is it old practises that haven't been corrected? How would this work?

  • by everfrustrated on 8/1/24, 3:47 PM

    Part of this problem is authoritative dns server operators not sharding their zones.

    The only provider I know who does this correctly is AWS Route 53. Your zone gets assigned 4 unique authoritative servers from a set of namespaced shards. eg ns-2048.awsdns-64.com

    Someone else can create a zone for the same domain but will map to different shard so no real world effect.

    Always surprising to me that hardly any providers do it.

  • by ChrisArchitect on 8/1/24, 2:02 PM

  • by quicksilver03 on 8/2/24, 7:58 AM

    I've just launched a DNS hosting provider ( https://www.ptrdns.net ) and this is one of the problems I'm worried about. With the PowerDNS backend I'm using, once a zone is added PowerDNS will respond to queries for its record regardless of the nameserver the queries are sent to. One can, for example, query the IP address of the nameserver to get a response.

    The Route 53 technique of assigning random server names looks a bit like the technique of creating virtual hosts in a nginx server, but it looks like this is a custom AWS implementation and not something that comes out of the box in any DNS server software I know.

  • by Joeboy on 8/1/24, 8:21 AM

    Somewhat related question: I have a (obscure) domain that I'm planning to let expire soon. Is there anything I could / should do to stop it being used for questionable purposes?

  • by loopdoend on 8/1/24, 6:54 AM

    Isn’t this the same as the spammy bear attack?

  • by octopoc on 8/1/24, 3:09 PM

    What happens if you set your name servers to e.g. Digital Ocean then go to Digital Ocean and try to add your domain name there but you find that an attacker has already created that domain name under their account? They were watching the name server records on your domain.

  • by 256_ on 8/1/24, 2:26 PM

    From TFA:

    > DNSMadeEasy founder and senior vice president Steve Job

    That name surprised me. I thought it couldn't possibly be real. I looked it up and apparently that's actually his name; presumably no relation to the plural one who ran Apple. Most articles seem to write his first name with an N to make it more believable.

  • by StuntPope on 8/1/24, 4:50 PM

    The Gell-Mann Amnesia is strong in this story and thead.

    As I posted on Krebs' article:

    This is neither news nor new. There have been prior panics around this “water is wet” type issue going back at least a decade.

    (Search up “Floating Domains – Taking Over 20K DigitalOcean Domains via a Lax Domain Import System” – and others).

    I also wrote about this on CircleID from the DNS operator’s perspective (“Nameserver Operators Need the Ability to “Disavow” Domains”) – after this same issue was used to DDoS attack another DNS provider by delegating a domain to their DNS servers without having setup an account there, and then doing a DNS reflection attack on that domain. That was over ten years ago.

    The fact that people can delegate their own domains to somebody else’s nameservers without ever properly setting up a zone on those nameservers, or ever keeping track of where THEIR OWN DOMAINS point is 100% the responsibility of the domain owner – and to varying degrees a function of their REGISTRAR – who is the only entity that has any control over it.

    It’s a weird flex for corporate registrars who purport to be “high touch” and exclusive, to simply shrug their shoulders and turn a blind eye to their own clients’ obviously broken and vulnerable nameserver delegations.

    For our part this is specifically one of things we actively monitor and alert our clients about.