1. Home
  2. Forums Index
  3. WebmasterWorld / Domain Names 11:00 am Apr 26, 2026

Forum Moderators: buckworks & webwork

Message Too Old, No Replies

DNS Vulnerabilities, hijacking, etc.

Comprehensive research paper exposes the risks

         

jtara

5:31 pm on Apr 26, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



There's been some discussion here recently about DNS vulnerabilities, particularly domain hijacking. There have been some scary figures cited in the technical press lately.

I imagine these come from this paper:

[cs.cornell.edu...]

I thought it would be useful to post a link to the original paper, as well as to this more-accessible article summarizing the paper:

[cs.cornell.edu...]

Here's a quote from the abstract:

a typical name depends on 46 servers on average, whose compromise can lead to domain hijacks, while names belonging to some countries depend on a few hundred servers. An attacker exploiting well-documented vulnerabilities in DNS nameservers can hijack more than 30% of the names appearing in the Yahoo and DMOZ.org directories. And certain nameservers, especially in educational institutions, control as much as 10% of the namespace.

And a choice quote from the article:

this study shows that DNS has complex dependencies, where a vulnerability in an obscure DNS server may have far reaching consequences. For example, the domain <example.gov> indirectly depends on a server belonging to <example.com>, which is vulnerable to four well-known exploits. A malicious agent can easily compromise that server, use it to hijack additional domains, and ultimately take control of <example agency's> namespace.

davezan

8:23 pm on Apr 26, 2006 (gmt 0)

10+ Year Member



And when you have majority of domain owners not giving a damn to understand these things, well...things get even more complex.

jtara

9:45 pm on Apr 26, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



And when you have majority of domain owners not giving a damn to understand these things

It's the "good enough" syndrome.

In order to overcome sales resistance, web hosting companies, and then registrars, include DNS services as a "free" service, hiding as much of the messy details as possible. Never mind that these free solutions are often less than robust and lack flexibility.

It's "good enough" to get your web site up, kinda-works for 90+% of web sites, and requires nothing more from the webmaster than to know the name of the domain that they want.

It seems an attractive alternative to learning a bunch of arcane details.

But it leaves a majority of webmasters with little or no understanding of how the domain name system works, and thus unable to fully take advantage of it, while at the same time reduces any demand to improve the system. (By, say, cleaning-up some of the arcane details, setting standards for web-based administration, etc.)

The latter is a particular problem - user interfaces for configuring DNS vary widely, and providers have taken liberties with terminology. At one time, you had to know BIND to configure DNS. It certainly was arcane (yes, I know I've used that word 3 times...) but it was the same everywhere.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Domain Names 11:00 am Apr 26, 2026