DNS hijacking using a non-responding nameserver
Impact: High
Common error ID: detectify-dns-hijack-domain-uses-non-responding-nameserver-s-in-<service>
What this means
One or more name servers are not responding to DNS queries for the domain.
This is most likely because:
- the domain is new and the name servers have not yet been configured for it
- there is an error or typo in the configuration
- the domain may have been incorrectly decommissioned or transferred and has been removed from the name server but not from the parent zone
Why this is a problem
When a name server is not responding, a malicious actor could create an account with the DNS hosting provider and create the domain themselves.
With many hosting providers using a static set of name servers, these could be allocated to the malicious actor, giving them complete control over the domain.
This can mean that users are redirected to fraudulent websites and the domain becomes vulnerable to phishing attacks, malware distribution, and other security risks.
How to check if the problem is still there
Use dig to query the name servers for the domain.
Example
dig ns example.gov.uk ns1.example.com ns2.example.com
Check each name server to see if it responds for the domain.
dig ns example.gov.uk @ns1.example.com ns1.example.com ns2.example.com
If the name server does not respond or returns an error, it may be non-responding and vulnerable to hijacking.
How to fix it
Make sure all configured name servers for your domain are online and responding to queries correctly.
Remove any non-responding or misconfigured name servers from your domain’s NS records, or correctly configure them for the domain.
By keeping your name servers properly configured and responding, you can mitigate the risk of DNS hijacking and help make sure your domain’s users are directed to the intended destinations.