DNS Demystified - How to prevent your domain from being Hijacked!

Free Study Guides

Practice Exams

CISSP

CCNP

MORE...

NETWORK

DNS Demystified - How to prevent your domain from being Hijacked!

Email this Article

Print this Article

• Relates to: MCSE 2000 | MCSE 2003 | MCSA 2000 | MCSA 2003

The Domain Name System, DNS for short, is quite the complicated
setup. As we learned the last time I talked about DNS,
all the information for a zone is stored on the primary and
secondary nameservers. The root servers (in most cases) point
people on the internet to where the DNS servers for your zone
are. Change those pointers, and you've lost your zone!

Normally, these pointers are changed infrequently, such as when
you move servers or change ISPs. However it is possible to
forge a request for a change, in which case the domain is said
to be Hijacked. Once someone can redirect all queries to your
zone to a nameserver of their choosing (such as a hacked one),
they can point www.yourzone.com to wherever they want,
intercept all your email, and generally impersonate your domain.
Starting to see how serious this is?

Network Solutions, the original registrar, based all their
registration system on email. Send an email to the automated
system. If the addresses matched up, then the request was
granted. Unfortunately, email is trivial to forge. In the
past, this was OK since the Internet wasn't as big as it is now
and people didn't rely on their domain as much. Now, however,
domains are much more important.

To combat this, Network Solutions introduced the Guardian
system. Guardian allows you to specify authentication methods
for each contact.

Method one is MAIL-FROM, which is the same as before. Compare
the email addresses to validate the sender. Not secure.

CRYPT-PW is the second method. Send Network Solutions a
password, and they'll keep a hash of it on file. Any request
has to have the password on it, which they can hash and compare
to their database. (A hash is simply a one way function. It's
that way so that if the database is stolen, the passwords can't
be recovered) This method is quite secure, assuming no one is
reading your email. That's a big if in some places, so this
may not be the right one for you. This method is extremely
easy to set up though, following the instructions on the Guardian page
took all of three minutes.

PGP is the third and last method. Send Network Solutions your
PGP key, and all changes must be digitally signed by you. PGP
can be obtained from pgp.com,
there are also links to a freeware version from MIT. There is
a small procedure to go through to send your key, but after
that it is fairly easy to complete. This is very secure, but
may be difficult due to the nature of using PGP. Network
Solutions can not accept MIME encoded messages, which is the
default for the Windows version of PGP when integrated into an
email package. Any version from 2.6 to 6.x can be used.

Using one of the latter two authentication methods will help
prevent your domain from being hijacked when using Network
Solutions. Remember that the authentication is tied to a user,
not a domain. This means that:

- Make sure that the Administrative, Billing, and Technical
contacts have either CRYPT-PW or PGP set up.

- If you register multiple domains, you don't have to go
through this procedure again, subject to the above line.

Other registrars use web based methods of modifying account
information, which require a password. However, for some
reason or another, you may not want to or be able to use one of
these.

If you want to compare other registrars, go to the Domain Name
Buyer's Guide,
which is supposed to be an unbiased comparison of the various
registrars based on cost and the terms and conditions of
registration. It is a must read if you're in the market for a
domain name, or if your current term with Network Solutions is
coming due.

Subscribe to our Free Must Know News Newsletter
Name: Email: