DNS Tech Support Training Courses DNSSEC Consulting DNS Analysis System Audit Customer Portal
The DNS Institute
Documentation Implementations Research DNS History Free DNS Tools

Hijacking registered domains (2024-08)

In June 2024, we were provided the "Sitting Ducks" draft reports from Infoblox and Eclypsium to participate in this research. The premise of the DNS attack is that the registered domain has different DNS authoritative hosting provider than the domain registrar, the current delegation is lame indicating it doesn't know about the domain, and that a third-party (attacker) can setup DNS records for the same domain at the correct DNS provider without valid ownership. This could result in a complete or partial domain takeover and even unused domains can be repurposed to impersonate brands and for phishing or other malicious purposes.

Infoblox wrote that multiple threat actors are actively exploiting this attack vector. They initially believed this was due to credential thefts at the authoritative DNS providers. They also evaluated a few dozen DNS providers and found that some were trivially exploitable and that the attack is hard to detect. Eclypsium estimated that there were 200 thousand to 500 thousand exploitable domains and that this has been an issue since at least 2019. For their public reports that came out over a month later, see https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/ and https://eclypsium.com/blog/ducks-now-sitting-dns-internet-infrastructure-insecurity/.

These problems are generally due to lack of tracking DNS registrations or to misconfigurations. For years, we have researched this extensively and defined multiple new and unique techniques for detecting unmanaged DNS, including for Dangling DNS records. While our DNS Institute DNS Analyzer is very comprehensive and did find many lame delegations, it didn't specifically or adequately test for this new scenario.

Prior to evaluating one of Infoblox's test scripts, we reviewed prior collected data from millions of domains (which we had also found many other dangling DNS examples). But we did not find any confirmed examples using the definition from the draft statements — no longer actively using the domain and the DNS hosting account was cancelled for the delegations. This implied REFUSED responses. We found multiple partial compromise possibilities and maybe only a couple possible complete domain take overs in that early research. The following examples showed misconfigurations and some unlikely to be compromise paths but some could lead toward partial or complete takeovers:

A similar situation could be seen with the ns01.trs-dns.com (64.96.1.1) and ns01.trs-dns.net nameservers which were used by the xn--mgbx4cd0ab TLD. They were not in its parent delegation but was in its own NS set.

There are many lame domains but delegations are pointing to DNS authorative servers that aren't believed to be exploitable (configurations for others domains). For this "Sitting Ducks" scenario, you need to know that the provider is exploitable. Eclypsium and Infoblox recommended that the DNS hosting provider should verify ownership such as requiring a change at the registrar (like a unique NS hostname for delegation) or doesn't allow the account holder to later change the nameserver hosts.

We extended our test suite to better identify the possibilities by using a list of DNS hosting providers by names and IPv4 and IPv6 addresses that were known to allow accounts to setup DNS for previously hosted domains or others' domains. One such list can be supplemented from research at https://github.com/indianajson/can-i-take-over-dns/ ("A list of DNS providers and whether their zones are vulnerable to DNS takeover!") which began in May 2021. This lists many providers as vulnerable or not vulnerable, but this is only a small percent of all the authoritative DNS hosting providers.

Our testing vulnerable providers list contains 223 names and 181 addresses for nameservers that may be exploitable. As a small results example, the following were domains that were REFUSED from at least one nameserver which may allow DNS take over: 123domainrenewals.com, 1st-for-domain-names.com, 24x7domains.com, 365marketonline.com, austriadomains.com, austriandomains.com, bidfordomainnames.com, boca15-verio.com, chem.info, chinesedomain.cn, clozapinerems.org, cocosislandsdomains.cc, columbiadomains.net, decentdomains.net, department-of-domains.com, diggitydot.com, discountdomainservices.com, domainbulkregistration.com, domainbusinessnames.com, domaincamping.com, domainhostingweb.us, domaininternetname.com, domainnamebidder.com, domainnamelookup.us, edufire.com, newdentity.com, niuedomains.nu, royalbus.ir, samoandomains.com, tuvaludomains.tv, and unwiredview.com.

By using extended techniques with a known potentially-bad nameserver list, it is easy to find many more domains. (Note that none of the initial list of domains above were found in the new test run with the enhanced detection, so their exploit paths, if possible, would require other, possibly manual, techniques. The test suite did find 1269 anomalies though for that short list of domains.) Infoblox, using their own tools and techniques, found over 800 thousand domains using just six known exploitable DNS hosting providers.

Contact us for access to our DNS Institute DNS Analyzer or read many of our past articles about types of misconfigurations, including DNS vulnerabilities, we find. DNS Institute performs comprehensive DNS and DNSSEC analysis, security testing, and commercial monitoring of nameservers and domains for S&P Global Top 100 Banks, Fortune 500 companies, national governments, and various TLDs based on IETF RFC specifications and best practices, government requirements, and registry guidelines.


Contact Us | About | Site Map |  Gab |  Twitter