Four key points about the “sudden” emergence of this vulnerability
– and how to mitigate it.
On July 31st, security journalist Brian Krebs published an article about a DNS vulnerability dubbed “Sitting Duck”, which claimed:
“More than a million domain names — including many registered by Fortune 100 firms and brand protection companies — are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars, new research finds.”
The research was a report via Infoblox titled “Who Knew Domain Hijacking Was So Easy?”
Because this was a DNS story, I was tagged several times on LinkedIn – where a lengthy thread had ensued – as well as via email by readers who thought it was decent material for our #AxisOfEasy tech digest over on the easyDNS side of the shop.
Before long it was posted to Hackernews replete with a long comment thread that was rife with Gel-Mann Amnesia Effect.
What exactly is the “Sitting Duck” vulnerability?
It’s basically this:
Somebody registers a domain name, heads over to some third party service that ends up hosting the DNS and sets up their zone on their nameservers.
That could be a web host, a third-party DNS hosting provider, a CDN – anybody who is not the registrar for the domain.
Time passes.
Things change.
Eventually, events don’t work out as planned – the project fizzles, the team is dissolved, the product gets discontinued or the marketing effort ends. The account on that third-party provider gets shut down – either by the client, or by the vendor on service expiry – it doesn’t matter.
The domain, however, remains delegated to that provider’s nameservers – and that’s the “Sitting Duck”.
It means that anybody who figures out that there’s this otherwise live domain (“live” in the sense that it’s registration is still current, and may even be pre-paid for years into the future), is just sitting there, pointing at those nameservers and there’s no zone on those nameservers to answer any residual queries that may come in.
You can even see via services like Ahrefs or Semrush which domains have pre-existing backlinks, and can get a sense for which ones would still have residual traffic.
So if that provider allows somebody, anybody, to walk in the front door, create an account, and add that very same domain to their new account – they can now create a zone for it using the providers DNS management panel and make it do whatever they want:
- Monetize it via PPC
- 301 redirect it to one of their own websites
- Use the link juice to build an affiliate page or funnel
Those are comparatively benign albeit opportunistic uses.
But they could also set up phishing sites that mimic the original brand, distribute malware or otherwise leverage the trust of the actual registrant for nefarious purposes – this is the crux of the Krebs article as well as the Infoblox report.
This is a real issue, but it’s a somewhat of a misnomer to think of it in terms of a DNS vulnerability per se.
The DNS infrastructure is working exactly as advertised. There are is no DNS flaw being exploited that is enabling this.
Here are four key takeaways on the seemingly sudden emergence of “Sitting Duck”:
(…and what you can do about it)
Takeway #1: This is not new. It has been around a long time
While Krebs mentioned previous instances of this from 2019, this has been reported on even earlier – in 2016 Matthew Bryant reported on this and even earlier, in 2014 I wrote on the same subject from the DNS provider side of the fence over on CircleID – where I outlined how DNS hosts need the ability to “disavow” domain delegations after somebody used one to DDoS various DNS providers in a spate of DNS reflection attacks.
Lame delegations have been around as long as DNS itself has – and this aspect of it does not point to some kind of flaw as much as it does poor management practices.
Takeaway #2: That this is not some kind of DNS security vulnerability on the part of DNS operators
We here at easyDNS/Domainsure are both an anycast DNS provider and an enterprise domain registrar, wearing both hats gives us a unique perspective.
The editorial slant in the Krebs article is decidedly pointed against DNS providers as both facilitating and somehow responsible for the proliferation of “Sitting Ducks” – with multiple references to “exploitable DNS providers”.
Krebs is missing the point: what is exploitable are the domain names not the providers – and what makes domain names exploitable are domain registrants who have lost the plot when it comes to their own portfolio and the registrars who are the only entities that have any control over where those domains point.
A comparable analogy would be blaming GPS navigation systems for drivers who leave their vehicles unlocked with the keys in the ignition – enabling thieves to drive off with other people’s cars and commit all kinds of mayhem with them.
Takeway #3: It’s the registrars who are the best entities who can effectively preempt this
As alluded above, the only entities who can actually do anything about what nameservers any given domain is delegated to are the registrars.
It was somewhat ironic in some of the online discussions around this issue to see certain self-described “high end”, “exclusive”, “corporate” “brand protection agencies” (read: registrars) lament that they were powerless to do anything about it when their Fortune 500 clients were being exploited in this manner.
They’re the only ones who can truly act – by monitoring their own clients’ nameserver delegations for lame delegations and then either notifying or actively parking those domains somewhere safe. This is something Domainsure does – I’m not sure why other enterprise registrars think this is out-of-scope.
Again, “Sitting Duck” is 100% the responsibility of the domain owner who can either be empowered, or ignored, by their registrars.
Domainsure proactively monitors over 27 specific touchpoints across hundreds of data sources on a given domain, from out-of-sync serial numbers across nameservers, to changes in the nameserver delegation or changes in the open ports on their public facing hostnames – that’s on top of looking for external threats like newly created typosquats, homoglyph attacks and active phishing domains, or issues like being listed in any realtime blacklists (RBL monitoring).
Said differently, had any of the Fortune 100 brands cited in the Krebs article had been using Domainsure to manage their portfolio, they would have known about their exposure years ago – either from their analytics or from their account manager, rather than reading about it on LinkedIn or Hackernews.
Takeway #4: No, there isn’t some kind of obvious in-band validation that fixes this
There were a lot of comments – and at one point Krebs himself suggested this – that this is an easy problem to solve by simply requiring a TXT or CNAME record verification before accepting a DNS zone, “just like the standard practice with SSL certs and numerous other web apps”.
How exactly would that work when it comes to provisioning DNS with the DNS provider?
You would need to publish a DNS record before your DNS provider will publish the DNS record?
How does one effectively mitigate “Sitting Duck”?
It is possible – and relatively easy for DNS providers to mitigate against this and preempt this problem that somebody else created for them.
#1) Providers can monitor their own nameservers for lame delegations and create placeholder entries in their systems to block them from being added arbitrarily, something we’ve been doing for years at easyDNS.
#2) If a domain is already delegated to their nameservers when its being onboarded – and if it’s not already in a local user account (or a known lame delegation), then force the user adding the domain to update their nameserver delegation with a verification hostname in order to prove their rights over the domain (this was mentioned in the Infobox paper as well).
But the problem itself is the 100% the responsibility of the domain owners, and to varying degrees a function of their registrar – who is the only entity that has any control over it.
Managing all the moving parts of even a single, production domain can be unwieldily – add together a portfolio of hundreds or even thousands and the complexity grows exponentially and can easily become overwhelming.
The exigencies of managing these IP assets goes beyond simplistic “brand protection” (which is basically, registering all the domains in all the TLDs) and enters into the realm of data analytics, cybersecurity, dark-web scanning and dependency monitoring.
August 7, 2024
Mark Jeftovic, founder & CEO, Domainsure Risk Intelligence.
markjr@domainsure.com
Apply for a Domainsure Invite
Get a Free Domain Health Check
Due to high demand: allow up to 24 hours for report delivery.
