Horrors of DNS: A Tale of 1800 potential domain takeovers due to mistyped NS

Domain Name System (DNS) configuration errors, though often overlooked, can have significant security implications. A seemingly minor typo in a DNS record can expose organizations to risks such as DNS hijacking, traffic interception, and fraudulent SSL certificate issuance. This research explores the prevalence of a specific type of DNS misconfiguration: the accidental substitution of .net with .ne in nameserver (NS) records. The study was inspired by a real-world incident involving MasterCard, where a typo in their DNS configuration could have been exploited by malicious actors. By analyzing zone files from over 1,000 top-level domains (TLDs), this research identifies the frequency of such typos and assesses the potential for abuse.

The MasterCard Incident: A Case Study

Recently, I stumbled upon an interesting article that caught my attention. It was about a seemingly small but significant "typo" in MasterCard's DNS configuration. Here's the gist: MasterCard uses Akamai's DNS servers, which are supposed to end with "akam.net." However, one of the servers was mistakenly configured as "akam.ne." This tiny typo meant that DNS queries for MasterCard's domains could potentially be directed to an unauthorized or non-existent domain. A security researcher named Philippe Caturegli noticed this, registered the "akam.ne" domain (which belongs to Niger's TLD), and observed a significant amount of DNS traffic hitting his server. If exploited, this misconfiguration could have led to DNS hijacking, traffic interception, email redirection, and even the issuance of fraudulent SSL certificates.

A Quick Refresher on Nameservers (NS Records)

For those unfamiliar with how DNS works, let’s break it down. Nameservers (NS records) are like the phonebook of the internet. When you type a website name (e.g., example.com), your computer checks the NS records to find out which servers are responsible for providing the IP address of that website. These servers are called authoritative nameservers.

What Happens When There’s a Typo in an NS Record?

If one of the NS records has a typo—like "akam.ne" instead of "akam.net"—it means that part of the domain’s DNS resolution points to a server that doesn’t exist or isn’t controlled by the legitimate owner. If an attacker registers the typoed domain (e.g., "akam.ne"), they can set up their own DNS server there. When someone tries to access a domain that relies on the typoed NS record, their request could be sent to the attacker’s server instead of the legitimate one.

What Could an Attacker Do?

1. Traffic Redirection: The attacker could respond with fake DNS records, pointing example.com to a phishing site’s IP address. Users would think they’re on the real site but actually be on a malicious one.

2. Email Interception: By controlling the DNS, the attacker could redirect emails intended for @example.com to their own mail server, intercepting sensitive communications.

3. SSL/TLS Certificate Issuance: The attacker could prove control of the domain by adding a specific TXT record to the DNS. Certificate Authorities (CAs) might then issue a valid SSL certificate for the domain, making the phishing site appear secure with a padlock icon in the browser.

But Wait, Aren’t There Other NS Records?

You might wonder, "If there are multiple NS records, wouldn’t the resolver just use the correct ones?" You’re right—resolvers do try other NS records if one fails. However, if the typoed NS server is responsive (because the attacker registered it), the resolver might use the malicious response. Additionally, DNS resolvers often cache the first valid response they receive, which could spread the attack to more users.

Why This Matters

This incident made me think: if this happened to MasterCard, it’s likely not an isolated case. Humans make mistakes—it’s what makes us human. As a result, I decided to dig deeper into how common such typos might be.

My Research Plan

I decided to focus on the prevalence of the net to ne typo. Here’s how I approached it:

1. Data Collection: I already had access to zone files for 1000+ TLDs, which contain DNS records for domains. My goal was to analyze these files to find active nameservers.

   

2. Filtering .ne Nameservers: Instead of creating a list of .net nameservers and generating their .ne variations, I searched the zone files directly for nameservers ending with .ne. This helped me identify all domains using .ne nameservers.

3. Checking for Typos: Once I had the list of nameservers ending in .ne I analyzed them to determine which were genuine typos of .net nameservers. This was done by comparing .ne nameservers with common .net nameservers to identify likely mistakes.

4. Domain Availability Check: For the nameservers identified as typos, I checked whether their corresponding .ne domains were available for registration. This step was key in determining the potential for domain squatting or abuse.

   1. I started with converting the NS subdomains to their root domain format using the following Python script:

       import tldextract
      
       def convert_file_to_root_domains(input_file, output_file):
           with open(input_file, 'r') as infile, open(output_file, 'w') as outfile:
               for line in infile:
                   url = line.strip()  # Remove leading/trailing whitespace
                   if url:  # Ensure the line isn't empty
                       extracted = tldextract.extract(url)
                       root_domain = f"{extracted.domain}.{extracted.suffix}"
                       outfile.write(root_domain + '\n')
           print(f"Root domains have been saved to {output_file}")
      
       # File paths
       input_file = "all-ne-ns.txt"
       output_file = "root-domains.txt"
      
       # Convert subdomains to root domains
       convert_file_to_root_domains(input_file, output_file)
      

      

   2. After I had enumerated the root domains, I performed availability check to see which of the .ne nameservers are available for purchase in .ne registry. Following is my analysis for 75 such nameservers:

Results

The analysis revealed approximately 1,800 domain names with NS records mistakenly configured as .ne instead of .net Among these nameservers majority of them were identified as likely typos, with many of their corresponding .ne domains available for registration. The table below highlights the top 35 most frequently observed typos:

Conclusion

This research highlights the prevalence of DNS configuration errors, specifically the substitution of .net with .ne in NS records. The findings demonstrate that such typos are not isolated incidents but rather a widespread issue affecting numerous domains. The availability of many typoed .ne domains for registration underscores the potential for abuse, including DNS hijacking, traffic interception, and fraudulent SSL certificate issuance.

The implications of these findings are significant for both organizations and cybersecurity professionals. DNS configuration errors, though seemingly minor, can have far-reaching consequences, compromising the integrity and security of online services. To mitigate these risks, organizations should implement rigorous DNS auditing processes, employ automated tools to detect misconfigurations, and ensure that DNS records are regularly reviewed and updated.

This study also serves as a reminder of the importance of human oversight in cybersecurity. While technology plays a critical role in safeguarding digital assets, human error remains a persistent vulnerability. That’s all from my side for now. Thank you for coming to my TED talk!