Don't Be a Sitting Duck to Domain Hijacking

Written By JOSHUA KUO

This blog was updated on August 13th to correct the inaccurate use of the term “a new attack”.

Infoblox and Eclypsium recently posted about a domain hijacking attack they nicknamed "Sitting Ducks," which has affected over 35,000 domains since 2018. This attack is being performed by exploiting how some DNS service providers verify domain ownership (if they do at all), allowing the attackers to take control of DNS domains owned by others for nefarious purposes.

How Does Sitting Ducks Work?

Imagine you register your domain, dnsinsecurity.com, with registrar A and host your DNS records with provider B. If you forget to renew your services with provider B, your domain could become vulnerable. If provider B does not validate domain ownership, attackers can then register an account with provider B, claim your domain, and set up their own DNS records, pointing your domain to their malicious servers.

Nothing New Under the Sun

While the Sitting Ducks attack is new, domain hijacking itself isn't. The DNS security community has been aware of this threat for decades.  For example, Matthew Bryant in his 2016 blog article “The Orphaned Internet,” pointed out the same underlying problem with certain cloud infrastructure and hosting providers. What's concerning is that Sitting Ducks exploits shortcomings in some DNS provider’s security practices (or the lack thereof) that still exist today, particularly around domain ownership verification.

Lax Security is a Problem

Some DNS providers have weak or nonexistent verification processes when it comes to domain ownership. As long as someone pays, they can set up DNS records for any domain, regardless of whether they actually own it. This is a major process flaw that needs to be addressed.

One provider pointed out, "If you're going to buy [a domain name] and point it somewhere you have no control over, we can't prevent that." That is a true statement, but that doesn’t mean providers shouldn’t try to put some measures into place to prevent this from happening.

The Chicken and Egg Problem of Domain Verification

Verifying domain ownership is tricky, especially for new domains. The traditional method of adding a TXT record to your DNS data to prove ownership doesn't work if your domain isn't resolvable yet. This creates a "chicken and egg" problem, where you need to prove ownership to set up DNS records, but you can't prove ownership without those records.

A Possible (Long Term) Solution: EPP

One potential solution is to leverage the Extensible Provisioning Protocol (EPP). While primarily designed for communication between domain registries and registrars, EPP could be extended to allow DNS providers to query domain ownership directly from registrars. This would add an extra layer of security and help prevent unauthorized domain takeovers.

The True Solution

Ultimately, the true fix for this threat is for domain owners to stay on top of their domain configuration with the registrar. If the domain is properly managed at the registrar by the domain owner, this risk is eliminated. However, that isn’t the end of the story. Securing the Internet is a team sport, after all.

What You Can Do Now

While we wait for enhanced security features from providers and registrars, you, the domain owner, can take proactive steps to protect yourself from becoming a Sitting Duck to domain hijacking. The first step, and it might sound boring, is to simply know what you have. Create a comprehensive inventory of all the domains you're responsible for. This might seem tedious, especially for larger organizations, but it's a crucial first step in identifying vulnerabilities and ensuring your domains are secure. Sometimes, the most effective solution is also the most plain and boring.

Check Your Knowledge!

Ready to test your DNS security knowledge? In my book, The Hidden Potential of DNS in Security, my co-author Ross and I detail five categories of domain hijacking. Can you identify which category "Sitting Ducks" falls under?

  1. Infrastructure Compromise - Registrar: Attacker can tell the world who my authoritative DNS server is

  2. Infrastructure Compromise - Hosted DNS Data: Attacker can change any of my DNS records

  3. Expired Domains: I forgot to review my domain and now an attacker can register it instead

  4. Record Abandonment - CNAME: Attacker enjoys residual reputation of my domain name

  5. Record Abandonment - IP Address: Attacker enjoys residual reputation of the IP address associated with my domain name

(The answer is 2, in case you’re wondering)

JOSHUA KUO
Next

Lessons from CrowdStrike’s BSOD