Tell HN: How to Respond to a Domain Takeover
9:58am I can no longer deploy to production
10:15am Finished troubleshooting all services, no problems identified
10:16am nslookup resolves to some random IP address instead of my prod server (WTF!!!!!!)
10:20am Log into registrar and find out they replaced my custom DNS servers with their own and added records to serve a "Parked free courtesy of GoDaddy" page with ads and a button that says "Get This Domain"
10:30am Changed my domain on the registrar website back to my custom DNS servers
10:32am Changed my password on the registrar website
10:38am Got told by GoDaddy support they didn't have anything to do with this and it was my fault it happened (f-me, right?)
11:55am DNS records across the internet are still jacked
12:00pm Manually blow out the cache on cloudflare for my domain
Postmortem Suggestions:
* If your website goes down; don't blow 15+ minutes troubleshooting your app services before checking DNS
* Enable 2fa with your registrar (even though there was no alert for us)
* Set up an alert for when your domain resolves to a different IP address (make a script and host it elsewhere or pay for a service)
* Don't trust your registrar!!!!
* Take a screenshot of your registrar settings and DNS settings right now so you have a record when they disappear
* Get access to your registrar account ASAP after the attack and change your DNS records back using the screenshots you just took
* Manually purge the cache of major DNS providers (for your domain) to allow your DNS records to propagate: https://cloudflare-dns.com/purge-cache/
22 comments
[ 4.2 ms ] story [ 62.6 ms ] threadRule #2: See Rule #1
Rule #3: https://www.gov.uk/guidance/protect-domains-that-dont-send-e...
Side note so this comment isn’t completely devoid of info: in the 10+ years I’ve had domains at Namecheap I’ve never had so much as a hiccup. Highly recommend them as a registrar.
The domain registrar POINTS to whatever DNS servers, so in this attack the registrar just POINTED to their own DNS servers. Rule #1 and Rule #2 were followed but the domain was still taken over. The attacked domain also needs to send email so the gov.uk link is great guidance but can't be followed here.
But why? A compromise of either service leads to a domain takeover (although recovering from a DNS compromise is easier than recovering from a registrar compromise) so you're doubling your risk exposure if you follow this rule.
You missed a couple steps, I'd say:
- make sure you've enabled domain transfer / termination locking - setup uptime monitoring - get off of GoDaddy
There were no 2fa alerts or any record of anomalous logins, so it's unlikely the password was compromised.
Even locking my domain from transfer wouldn't have stopped this from happening, the domain wasn't transferred: only the pointers to new DNS servers were changed.
This really smells like GoDaddy has bad programmers that introduced bugs in their infrastructure, or hackers poking around their back-end triggering stored procedures.
I'm not sure if it's 100% clear from the write up, but my domain was "seized" by GoDaddy's systems that host an insecure "Hosted by GoDaddy" welcome page. I didn't click on the "Buy This Domain" button, but it could have been spoofed to look like GoDaddy and actually taken me to some command and control server if this wasn't GoDaddy that performed the domain takeover.
Recourse? I called GoDaddy support and they were 700% confident their systems are perfect. I was told by the first support rep "I'm writing this down as caused by customer", so I told him "Well I'm marking this in my system as caused by GoDaddy" as we both laughed.
I called GoDaddy support a second time after I was partially convinced this was my fault and told them "Absolutely not, you guys messed up this needs to be escalated" as I gave the support representative a primer on the basics of how DNS works and why it broke for my domain (because he was clueless). Then emailed him a screenshot of my domain with "Parked by GoDaddy" written all over it because he didn't believe me.
So my recourse here is getting called an idiot by barely conscious GoDaddy support staff, posting this on HN to share the experience and getting called out again as an idiot for using GoDaddy (this is my first issue with them in 20 years). This has been happening to random GoDaddy customers for 4+ years and GoDaddy is so full of themselves they won't even open a support ticket to consider it might be their fault. I have no recourse except to transfer my domains to a responsible registrar.
… and I’ve seen the same issue happen with many many domains registered with GoDaddy and NetWork Solutions. Avoid them. Either NAmeServers get reset or DNS entries vanish even though they are all there when you login to fix it.