Sitting Ducks Vulnerability for Domain Names

Hi everyone, this article came across to my news feed and it was the first time I heard about this kind of vulnerability.

I hope someone who is an expert in this topic could share some insights. Does what's in the article suggest that it is safer to leave the DNS with the registrar (eg. Name.com) instead of using third-party like CloudFlare? Thank you.

Comments

  • +1

    I think this article probably helps a bit more.

    My understanding is that it could even happen to a domain registar if they have a hosting offering as well or a pure DNS offering.

    I don't think it can really happen on CloudFlare, but I could be wrong. Personally, I use CloudFlare for all of my DNS. I think even if someone adds your domain to CF, it gives them different NS records to what might be in your account, so there isn't the possibility of that DNS takeover. Where as, other providers like hosting providers that just have 1 set of NS records for all their service offerings, could be vunerable.

    That is my understanding, I could be wrong.

  • +3

    Thanks for posting. Learnt something new today. This is crazy that it’s not widely fixed.

    This can only happen if the DNS provider you’re using is Vulnerable. There’s a community list and the hows: https://github.com/indianajson/can-i-take-over-dns

    Does what's in the article suggest that it is safer to leave the DNS with the registrar (eg. Name.com) instead of using third-party like CloudFlare?

    Yes, but what are you hosting? Luckily CloudFlare is Not Vulnerable.

    Issue normally starts when you delegate the hosting/DNS to another provider and the attacker shares the same nameserver(s) as you.

  • Sittingducks.com domain name is already taken

  • Thanks, I didn't know the vulnerability existed. Chatgpt recommends rotating your domain DNSSEC keys periodically (and update the DS record with domain registrar). I've never done that. Will do so.

    • while rotating DNSSEC keys == 1 thing … it is really a bandaid solution … and certainly NOT an all-in-1 approach.
      If you read up on it … the MAIN idea behind that - is due "possible/potential" breaches through other means/areas.

      Would be looking at other potential holes - access points - as to how ppl can cause havoc.
      ChatGPT == nah.

  • I personally also think that CF can't be more vulnerable than just using the registrar's DNS. I use CF because it gives more features even with the free tier. I think when the A record doesn't resolve to an existing IP (probably old and wasn't updated) it might be vulnerable as well.

Login or Join to leave a comment