July 25, 2017 | By Yacin Nadji
The .io top-level domain was hijacked by a security researcher because one of its points of delegation -- the domain ns-a1.io -- had recently expired. This allowed anyone with $90 to authoritatively resolve domains for under the .io zone. Due to the hierarchical nature of DNS, specific domains are designated at the root servers to manage their sub-tree for reasons of scale. Ownership of this domain allows for partial control of the zone dependent upon how the name server is chosen from the possible candidates. The author demonstrates, however, that four of the seven authorities were registrable, which means the majority of requests would be hijacked. Furthermore, tricks can cause the malicious authorities to remain cached for much longer, exacerbating the damage. As of the article's posting, the problem had been remediated.
IISP Analyst Yacin Nadji: "An expired domain retains its residual trust, which in this case included the trust of administering the entire .io zone! Because the DNS is so fundamental to how the internet functions, an expiration can have dire consequences. Ironically, the DNS's resilience would cover up these expirations by instead relying on non-expired name servers to handle the resolutions. This vulnerability was hidden unless you knew precisely where to look.
For companies and individuals that wish to protect themselves, there are some options. First, simply knowing that a domain expiration can cause extreme problems can help. Know what domain names you own and when they expire. If you do not know all of the domains you own, online repositories of WHOIS information or passive DNS information may allow you to search for additional domains that you or your organization own, however, these services often are not free.
Second, techniques exist to identify expired domains or domains that have recently undergone an ownership change. A past paper by Georgia Tech describes a technique for identifying such domain names, and relies on actively collected (read: free for research) data sources. Our internal list of ownership changes has been interesting for research purposes, and we would be interested in exploring uses outside of academia. Feel free to contact me if you or your organization could benefit from such data."
For further reading
- The Hacker Blog: https://thehackerblog.com/the-io-error-taking-control-of-all-io-domains-with-a-targeted-registration/
- Georgia Tech research paper: http://astrolavos.gatech.edu/articles/domain-z-ieee.pdf