[dns-operations] Typo in fox.com and an Akamai squatter

Paul Hoffman phoffman at proper.com
Mon Feb 1 17:45:46 UTC 2016 

On 1 Feb 2016, at 8:08, Edward Lewis wrote:

> If the problem lay in the registration data, i.e., the owner of 
> fox.com,
> made a typo at their registrar and it resulted in the incorrect name 
> being
> published in the DNS, there is little the DNS hoster can do.  If the 
> name
> owner leaves a hanging name for someone else to squat on, there's 
> simply
> no automated way to prevent badness.

Sure there is. A hoster can scan the NS records for all their clients 
and note when one of those records isn't pointing to the hoster's name 
servers. This would be a service that I bet some customers (such as 
Fox?) would very much like.

> A DNS hoster could detect changes and ask if they made sense (that 
> would
> be asking a lot) but in the case I was privy too, the changes weren't 
> made
> in the hoster, they were made in a location far removed - the 
> registrar.

That should not prevent the hoster from not only alerting their 
customer, but suggesting that the customer use a better registrar (for 
some probably-slated definition of "better", like "registrars with whom 
we have a business relationship").

> I don't know if Akamai is a registrar, if they are, if they are a
> registrar for fox.com.  (WhoIs says fox.com is registered via
> MarkMonitor.)  I am assuming they are not.  Again, in the instance I 
> saw,
> we were not a registrar even though we were a registry for a few TLDs.

In the current case, Akamai could make an arrangement with some 
registrars (certainly with one the size and reputation of MarkMonitor) 
to have a high-urgency communication channel when there is something 
wrong happening with their mutual customers.

> Only the domain name owner is in position to check this.

This entire list was able to check this. :-)

> DNSSEC or not,
> the problem exists, with DNSSEC though DANE and other ways to check
> security credentials can help.  (Because the owner would have to make 
> two
> mistakes to be vulnerable, the typo plus messing up the other method,
> whatever it is.)

Note that the registrar is also able to check this. Pseudocode:
for each customer:
   Collect all NS records
   for each NS record in set:
     Check for name that is not run by the same admin as the rest
   if state == fishy:
     Check if we have talked to the customer about this before
     if first_time or not dont_bug_us_about_fishiness:
       Escalate

--Paul Hoffman

More information about the dns-operations mailing list