skip to content
blog.metters.dev

Getting DNS hijacked

/ 4 min read

dns, security, social-engineering, 🇬🇧

I recently discovered that my father-in-law’s service provider hijacked his .com domain’s DNS record and has been actively exploiting it. As he owns a company, he also has a website and domain.

When he first set up his website and domain, I didn’t have time to help him, and I forgot about it afterwards. Since he doesn’t know much about websites or DNS records, he hired an external company to handle everything for him. Unfortunately, this company wasn’t reputable.

He asked my wife (who also knows nothing about DNS records) to update the DNS record based on the bad guy’s requests, and so she did. The result can be seen at the end of this blog post: The DNS Record

Low quality website

One evening, I tried to open his website for some unknown reason and was shocked by the terrible user experience:

  • The loading time was so slow that I thought my internet connection was having issues.
  • Simple information appeared to be copy-and-pasted without any effort to ensure that it was displayed correctly.
  • The product catalogue had about 37 pages but lacked a search function, and the [>>] button would take me to the next page instead of the last one.

The list of issues could go on, but it was clear that zero effort had been put into the website’s implementation. It seemed like they had used a (WordPress) theme, but even that was not done properly.

I decided that I could do a better job and started searching for templates for static sites. Once I found one that I liked, I set out to re-implement the site in a more visually appealing way (and to improve that loading time). To do this, I sometimes visited the original site to see how certain things worked and what data needed to be displayed.

Discovering the foul play

When I checked the website again later, I was met with a strange result. Instead of being taken to the landing page of my father-in-law’s company, I was directed to another company’s page. I tried again, but the same thing happened. I experimented with different requests, editing the protocol (https/http) and subdomain (www). Sometimes, I would see the expected site, but other times I would see this other site. I asked my wife, who confirmed that there must be a mistake.

Naturally, I checked the DNS record and discovered what was going on—at least, most of it. The guys who were managing the site were using the domain to forward to another site. I didn’t know whether the owner of the other site was aware of this and part of the scheme, but it didn’t matter. What was worse was what I found out next: according to MxToolbox, our domain had been blacklisted several times, or the IP of the web server behind the domain had been.

This was the reason I immediately removed all DNS entries and set up my own site as the new homepage. It’s still a work in progress, but in the case of my father-in-law’s site, it doesn’t matter as he’s not in e-commerce. The product catalogue and his contact information for potential customers to get in touch with his company are sufficient.

Lessons learnt

  • Keep control of your DNS record!
    • The domain is registered under your name. Any illegal activity like sending spam and phishing emails might point to you and your company.
    • If those people have direct and unrestricted access to your DNS record, the potential harm could be much greater. Moreover, having to request changes from you increases the risk of them being detected.
  • There’s no need to blame yourself if you find yourself in this situation. If you lack the necessary knowledge and choose to hire someone to manage it for you, it can be difficult to avoid such issues. The service provider has a good chance of success, as they are generally regarded as a trusted partner.
  • It is the IP of the web server that hosts your site that gets blacklisted—not the domain. However, the domain and with this the company’s brand, might still suffer from reputation damage.

The DNS record

Nr.RecordHostValue
1A@IP of web server hosting our website
2CNAMEwww{our domain}.{some other domain}.
3CNAMEwww{some other domain}.
4URL Redirect (Unmasked)@http://www.{our domain}.com/?from=@
  1. The first entry was in fact pointing to the IP address of the web server hosting the site of my FIL’s company.
  2. This was the initial configuration. It was later replaced…
  3. …by this entry, at the time when I found out about this scheme.
  4. This is a feature of our domain provider. Search “Unmasked Forwarding” on this site.