DNS hijacking using a non-responding name server
What this means
One or more name servers are not responding to DNS queries for the domain.
This is most likely because:
- the domain is new and the name servers do not yet have a zone configured for the domain
- there is an error or typo in the delegation or on the name servers configuration
- the domain may have been incorrectly decommissioned or transferred and has been removed from the name server but not from the parent zone
Why this is a problem
When a name server is not responding, there is a possibility that a malicious actor could create an account with the DNS hosting provider and create the zone for the domain themselves.
With many hosting providers using a static set of name servers, these could be allocated to the malicious actor, giving them complete control over the domain.
This can mean that users are redirected to fraudulent websites and the domain becomes vulnerable to phishing attacks, malware distribution, and other security risks.
How to check if the problem is still there
Use dig to query the name servers for the domain.
Example
dig ns example.gov.uk +short
ns1.example-dns-provider.com
ns2.example-dns-provider.com
Check each name server to see if it responds for the domain.
dig ns example.gov.uk @ns1.example-dns-provider.com +short ns1.example-dns-provider.com ns2.example-dns-provider.com
If the name server does not respond or returns an error, it may be non-responding and vulnerable to hijacking.
How to fix it
Make sure all delegated name servers for your domain are online and responding to queries correctly.
Remove any non-responding or misconfigured name servers from your domain’s name server delegation, or, correctly configure them for the domain.
By keeping your name servers properly configured and responding, you can mitigate the risk of DNS hijacking.