Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Researcher Takes Over .IO Domains by Registering Name Servers

A security researcher could have taken over thousands of .IO domains after being able to register four domain names of the top level domain (TLD)’s authoritative name servers.

A security researcher could have taken over thousands of .IO domains after being able to register four domain names of the top level domain (TLD)’s authoritative name servers.

The incident happened last month, when researcher Matthew Bryant was “graphing out the DNS delegation paths of various TLDs.” During his project, he discovered a name server domain that was available for registration and was able to purchase it.

“.IO” is the country code top level domain (ccTLD) assigned to the British Indian Ocean Territory.

TLDs have authoritative name servers at arbitrary domain names but, by exploiting errors such as misconfiguration, expiration, or other issues, it is possible to “register a name server domain name and use it to serve new DNS records for the entire TLD zone,” the security researcher explains.

For that, one would have to enumerate all name server hostnames for a given extension and then check for base-domains that expired and are available for registration. In some instances, however, the expired domains would not be available for purchase even if not marked as reserved.

Using this method, the researcher stumbled upon the name server domain of ns-a1.io, which appeared as available for the registration price of 90.00 USD. After successfully purchasing it, Bryant attempted to contact the .io TLD to get the issue fixed, but failed.

As a result, he decided to look for other similar name server domains and found ns-a2.io, ns-a3.io, and ns-a4.io domains available for purchase as well. All four domains are listed as authoritative name servers for the .io TLD, and anyone controlling them could potentially “poison/redirect the DNS for all .io domain names registered,” the researcher explains.

Bryant was eventually able to send an email to the appropriate security contact and was informed the next day that the issue was resolved. The researcher verified that he was not able to re-register these domains, showing that the error was remediated.

Advertisement. Scroll to continue reading.

“Given the fact that we were able to take over four of the seven authoritative name servers for the .io TLD we would be able to poison/redirect the DNS for all .io domain names registered. Not only that, but since we have control over a majority of the name servers it’s actually more likely that clients will randomly select our hijacked name servers over any of the legitimate name servers even before employing tricks like long TTL responses, etc to further tilt the odds in our favor,” the researcher explains.

He also notes that, because the .io TLD has Domain Name System Security Extensions (DNSSEC) enabled, which adds security by enabling DNS responses to be validated, users should be defended from attackers able to send bad/forged DNS data. However, “DNSSEC support is pretty abysmal and I rarely encounter any support for it unless I specifically set a resolver up that supports it myself,” the researcher also points out.

According to Matt Pounsett, however, while the Backend Registry Operator for the .io TLD clearly made a big mistake by allowing a third-party to register the name servers, the issue “definitely does not constitute the catastrophe implied.” He explains that “the name servers for the .io TLD don’t respond with their own NS set in their response,” meaning that attack won’t work as suggested.

The issue with the authoritative name servers was that the .io TLD apparently transitioned last month from the operators of the registry to a third-party already in charge with the backend for other top-level domains. The third-party, Afilias, got hold of three domain name servers, but left the other four available.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture