Search Go hack yourself with Detectify

An EASM blog from Detectify

DNS Hijacking – Taking Over Top-Level Domains and Subdomains

January 19, 2021

TL;DR: On January 7, the Detectify security research team found that the .cd top-level domain (TLD) was about to be released for anyone to purchase and claimed it to keep it secure before any bad actors snatched it up. A technical report with full details is available on Detectify Labs. This blog post will discuss the basics of domain takeover.

Summary of the hack

Fredrik Nordberg Almroth, Detectify Co-founder and Security Researcher, spent his holidays like any other hacker would – by executing a great hack. Often a hack with such high stakes seems like it would require an intricate execution, and in reality, it is usually the simplest thing that does the trick. In this case, the .cd TLD was about to expire and had gone unnoticed by the owners. Cutting to the chase, Almroth was able to claim the expiring name server for the Democratic Republic of Congo’s top-level domain (TLD) – .cd – before it was going to enter into Deletion status and maintain the status quo. 

If it went to this status, then a malicious actor could exploit DNS hijacking and listen in on encrypted traffic and redirect traffic requested for websites registered to the .cd domain to other websites. Fredrik did not have any of these intentions, though, and Zack Whittaker at TechCrunch has published a full news report on what happened.

DNS hijacking and subdomain takeover cover image

What are DNS hijacking and subdomain takeover? 

Control DNS, and you can control the traffic

When browsing the Internet, the requests to visit websites or make searches are sent to a Domain Name Server (DNS), which will direct the user traffic to the website requested. DNS hijacking is the term given when an attacker intercepts the traffic being requested from a DNS and redirects it to another website, often with malicious intent. 

Hijacking a TLD means that an attacker has been able to gain control of the name server for websites registered to .com,, or .io and subsequently having control over the requests sent to sites with .com. Since the attacker has ownership, they could create websites that look legitimate and issue SSL certificates (to show HTTPS) and encrypt the traffic from others, making it nearly impossible to detect to end-users. Usually, a slow loading website could be indicative of such an attack. 

There are several ways in which DNS hijacking can occur, and one way of taking over an entire top-level domain is to be the quickest, or as we say in Swedish först till kvarn. In this recent case, the top-level domain was expiring, and payment was due for the existing domain owner to maintain it. There is a grace period where owners can still claim it before it goes into a queue for “Deletion”. If a domain enters this phase, it is basically up for sale to the public for anyone to take control over. These occurrences are rare and can be mitigated with controls set-up to detect domain licenses close to their expiration date.

DNS hijacking diagram from Impreva

Image source: Imperva that shows how DNS hijacking works

Hijacking of traffic can also happen on the subdomain level. 

Maybe you’ve heard of something called Hostile Subdomain Takeover before? This was a term coined by the Detectify Security Researchers back in 2014. It means that an attacker registers and claims ownership of a subdomain that has been forgotten or abandoned by its original website owner. The subdomain ownership can be claimed by someone else yet remain registered to the original owner and apex domain. The attacker then leverages it for malicious activities by serving their own content to harm the original owner’s reputation, make an exact copy of the original website, and steal sensitive data and listen in on what website visitors are doing. 

Here’s a likely scenario: 

A subdomain owned by Company A is forgotten about, and ownership of the web asset is not renewed and forgotten. It can then be claimed by someone else and taken over. The new owner can then control the content seen by visitors to the site. Malicious actors could duplicate the original site’s content and use it for phishing attacks or serve their unique content on the site. 

Subdomain takeover scenario

Since the discovery of this technique in 2014, we’ve seen this method growing on the hacking scene, and it’s become a go-to technique for some bug hunters. 

All know it in the community, and still, subdomain hijacking is a common problem for web security. We’re here to say, take it seriously. Given the current landscape of communication online and social media, it is difficult to detect subdomain takeovers from a user’s perspective, which puts more onus on the vendors to harden their DNS records’ security. Companies like Detectify share techniques and offer technology that makes it easy for security practitioners to keep track of subdomain inventory, DNS misconfiguration and vulnerabilities to takeovers.

What can one do with TLD control?

Having ownership of a name server puts one in an unusually privileged position. You could:

  • carry out distributed denial-of-service attacks (DDoS) to completely overload websites to stop users from accessing them and data exfiltration. 
  • As a “man-in-the-middle” (MITM), the attacker can listen in on the encrypted traffic and see user input, including sensitive details like credit cards, search queries, log in details.
  • Redirect the traffic to sites they aren’t intended for, like disguised phishing sites or irreverent content, yet still appearing under a seemingly trustworthy URL with HTTPS. 
  • Learn more about how MITM is possible regardless of HTTPS on Labs.

How to prevent DNS hijacking when using the Internet:

  • Avoid using open Wi-Fi connections. While these look convenient for you, they’re also convenient for attackers to intercept traffic
  • If you must use a shared connection, do so with vigilance via a VPN. This added layer of security will encrypt the traffic you send from your device from hackers listening in
  • Always inspect links before clicking and avoid them if they look suspicious

How to prevent DNS and subdomain hijacking for vendors:

  • Keep track of the latest known vulnerabilities that exploit DNS and patch as soon as it is released
  • Limit user access to the DNS and add multi-factor authentication to reduce the risk of outsider and insider threats
  • Create an inventory of all your subdomains and the hosts, and keep it up-to-date as things change. If you prefer to do it with automation, Detectify Asset Monitoring will monitor your discoverable subdomain inventory and dispatch alerts as soon as an asset is vulnerable to a takeover

How can Detectify help?

DNS misconfigurations are common and cumbersome to keep track of, especially if you monitor hundreds and thousands of domains. Built with research from the expert ethical hackers of the Detectify Crowdsource community, Detectify Asset Monitoring uses proven technology to automate the enumeration and monitoring of discoverable subdomains. Security defenders rely on Asset Monitoring to stay on top of DNS changes and mitigate risks in time.

Ready to give Detectify Asset Monitoring a try? Try it out for 2-weeks with one of our security experts to find subdomains risks faster today.

Test your website's security with Detectify Sign up for a free trial