Is this a DNS security hole?

Joern Heissler joern at heissler.de
Fri Apr 30 20:47:45 UTC 2004


On Fri, Apr 30, 2004 at 05:59:23PM +0000, Ivan Yonge wrote:
> First of all,  I am not an expert in DNS... that's why I am here to ask for
> help. don't laugh at me if I am wrong.
> 
> I have tested this with my domain, this seems like a security hole to me..My
> domain is registered with Register.com
> 
> 1. Go to Register.com, login to my account (say "mycompany.com", doesn't
> matter)
> 2. Add a new DNS entry
> 3. They will ask for  HOST NAME and IP ADDRESS (they used to ask HOST name
> only, not IP).
> 4. type host="testing.victim.com"  (the host of the victim)
> 5. type ip = "24.102.80.12" (the IP address I want to point to, I just make
> it up)
> 6. submit
> 7. After 24 hours, all the world's DNS server will resolve
> testing.victim.com  as 24.102.80.12. If you PING testing.victim.com from any
> server in the world,  say network-tools.com  gives you 24.102.80.12
> 
> This is not good,   now "testing.victim.com"  is tied to the IP address, it
> doesn't even try to resolve it from "victim.com" 's DNS server.....  why is
> this happening??   I have used http://network-tools.com/nslook/Default.asp
> to verify my result..
> 
> If this is true, anyone can hijack other people's domain name using DNS and
> point to his IP address? this is scary..
> 
> Help..
> 
> 
> 
> 
> 
> 

Hi Ivan,
I'm unable to check this, for I don't have an register.com account.
if you're right (which I hope you aren't!) I can think of these
possibilities:

- register.com has access to the NS of victim.com (e.g. victim.com's NS
  is ns.register.com)
- register.com makes the entries in the gtld servers (root servers for
  .com tld)
  Technically this is possible and is not unusual (e.g. add an A record for
  ns.victim.com)
  is victim.com registered through register.com too? If not, it's a
  *very* serious problem, since any .com registrar could add arbitrary
  DNS records to arbitrary domains.
  When it is registered through register.com, it's only their security
  bug.

hth :)

br
Joern Heissler


More information about the bind-users mailing list