Home / Industry

How Threat Intelligence Prevents Nameserver Takeovers and Their Far-Reaching Damage

In an ideal world, administrators should never run across threats to their web properties. However, human errors and vulnerabilities inevitably get in the way of cybersafety. Managed Domain Name System (DNS) providers, registrars, and services can sometimes put users at immense risk as well. Add to this the fact that practically anyone can easily acquire a top-level domain (TLD) name.

Hackers sometimes deploy malicious schemes by gaining access to and altering the configuration of nameservers. All they need to do is take hold of floating domains and available nameservers (NSs) or exploit domain misconfigurations.

Why Nameservers Are Prone to Hacking

NSs are inherently vulnerable because like most protocols, they were not designed with security in mind. And because the DNS is a critical part of any organization’s operation, the servers that make sure its business stays connected are often subjected to cache poisoning, botnet, DNS amplification, and other attacks.

The first line of defense against NS abuse is to gather a comprehensive set of threat intelligence and use analyses findings for protection. Let’s take a look at some scenarios where threat intelligence can help prevent NS attacks.

Nameserver Attack Scenarios

Identifying Misissued Access to an Authoritative Domain Nameserver

In 2017, a security researcher took control of more than 270,000 .io domains by purchasing four .io authoritative NSs. Using a proof-of-concept (PoC) exploit, he registered .io NS domains that were up for sale. Within 24 hours, the NS domains pointed instantly to their corresponding authoritative NSs.

The researcher tested his theory of using an expired or wrongly configured domain and registered it to obtain privileged access to an authoritative NS. The vulnerability came to the fore during a TLD handover from .io to a third-party, which failed to block four of .io’s seven NSs during the transfer.

In such a case, domain analysis could have mitigated the exposure. Using a threat intelligence platform, for instance, could have revealed NS misconfigurations. This tool can compare the NS details in a registrant’s NS and the related domain’s WHOIS records. If inconsistencies are found, potential violations are revealed.

Landing on a Hijacked Domain

At times, users attempting to access a legitimate website are redirected to a malicious one instead. In such a case, the site may have been subjected to a DNS hijacking attack, specifically a rogue DNS server attack. In such an attack, the hijacker hacks a vulnerable DNS server and changes how it’s configured so anyone who visits the domain it’s tied to lands on a malicious site. Victims of rogue DNS server attacks can end up as either pharming or phishing victims.

Using a reverse NS API can help spot hijacked domains in that it identifies all domains that use the same NS. If the domain users land on isn’t tied to the known NSs of the organization that owns the website they’re accessing, that may be an indication of domain hijacking.

Uncovering Cyber Espionage and Other Complex DNS Attacks

Late last year, Talos discovered what it had dubbed a “DNSpionage” campaign. The term referred to a series of sophisticated DNS hijacking attacks that targeted several entities in parts of the Middle East, Africa, and Europe. Government agencies, private businesses, Internet service providers (ISPs), and software supply chains were affected by the breach.

This case reiterated the importance of monitoring DNS traffic to make sure that it isn’t being redirected to malicious sites. Keeping one’s DNS records updated and making sure it remains unchanged by unauthorized users is also paramount. Using a threat intelligence solution that automatically checks how users’ DNS infrastructure and hosts are configured can help prevent the damage brought on by DNSpionage attacks.

* * *

Content protection via encryption with the HyperText Transfer Protocol Secure (HTTPS) or Transport Layer Security (TLS) protocols is not enough in itself to protect users’ privacy. Organizations should remember that attackers also monitor all the relevant protocols of Internet communication, notably DNS transactions. To truly ensure user privacy protection, they need to pay attention to their domains and protect their DNS infrastructure using all available means.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global