Introduction

You know the saying, right? “It’s always DNS” (unless it’s BGP, but I digress). Back in 2017 we covered just how the Domain Name System (DNS) is the Achillies heel of the internet and things haven’t improved much in the subsequent years.

When we think of DNS failures we often think of a widespread DNS outage or a misconfiguration that leads to site outage, slow performance, app failures, and email delivery problems. But there are other slightly less common, yet equally disruptive, ways that DNS-related nuances can cause severe issues. We explore one of the more devastating scenarios here, so buckle up!

The fact that (almost) everything on the internet begins with a DNS query means that some unexpected situations can arise with greater frequency than one might expect, extending beyond the “typical” DNS issues we’re used to. Recently, an article by WatchTowr illustrated just how easy it was for them to gain control over the .mobi Top Level Domain (TLD), highlighting a lesser-known weakness in the DNS infrastructure that could impact any organization.

The .mobi TLD Hijack

WatchTowr’s story is eye-opening and provides a perfect example of how expired domains can turn into attack vectors. The issue started when the .mobi TLD switched its WHOIS server to a new domain (whois.nic.mobi) in 2023 but failed to renew its old domain (whois.dotmobiregistry.net), allowing it to expire in December. WatchTowr found the expired domain, purchased it, and set up a WHOIS server behind the whois.dotmobiregistry.net hostname to see what might happen. Within five days, their new server had received over 2.5 million queries from 130,000 unique systems, including governmental, military, and cyber security organizations.

But this scenario isn’t unique. Failing to renew old domains or manage DNS records can expose any organization to similar consequences. There are some crucial reasons why it’s critical to stay on top of DNS and expired domains—and some examples of what could go wrong if you don’t.

Why Domain Expiry and DNS Monitoring Matter

While DNS hijacking is nothing new, it is rarely considered to be the most pressing cybersecurity concern that businesses face. Yet, due to the absolute reliance many applications, services, and protocols have on DNS, there are a wide range of attack scenarios that are presented to attackers when DNS is not tightly controlled.

The following scenarios are examples of how DNS can be used for illegitimate purposes. Many of these techniques are covered in the MITRE ATT&CK entry Acquire Infrastructure: Domains (T1583.001).

Man-in-the-Middle (MitM) Attacks and Impersonation

If an attacker gains control over an expired domain, they can intercept communications or impersonate services and users. Imagine that a company moves to a new domain but neglects to renew their old one, which previously hosted a customer support portal. If an attacker acquires the old domain, they can set up a replica support portal and intercept credentials, sensitive information, or communications from customers who aren’t aware of the change.

Example: In 2016, the United Kingdom’s National Health Service (NHS) faced this issue when attackers hijacked an old domain previously used by the NHS Direct helpline. Patients and doctors inadvertently sent sensitive information to the new owner of the domain, compromising medical data privacy.

Certification Process Manipulation

Similar to the .mobi scenario, Certificate Authorities (CAs) often rely on WHOIS data to verify domain ownership. If an attacker gains control of an expired domain linked to a TLD, they could trick CAs into issuing legitimate SSL/TLS certificates for subdomains. With these certificates, attackers could set up websites that appear secure and genuine, facilitating phishing attacks or injecting malicious software.

Example: In 2021, security researchers discovered a vulnerability where an attacker took control of an expired domain linked to the .cm TLD (for Cameroon) and was able to generate fraudulent TLS certificates for popular subdomains. This allowed them to create credible phishing sites that spoofed banks and social media platforms.

Dependency Hijacking for APIs and Integrations

Many applications rely on DNS records for API calls or third-party integrations. If a DNS record points to an expired domain, an attacker who takes over that domain could potentially hijack the data exchange or manipulate the API responses, impacting services that depend on these integrations.

Example: In 2017, the domain previously used for the “PyPI” repository for Python packages was expired and taken over by an attacker. Thousands of Python developers unknowingly connected to a malicious domain that could inject altered or malicious code into their projects. This dependency hijack highlighted the dangers of not maintaining domains associated with critical APIs and open-source dependencies.

Email Hijacking via MX Records

DNS records also manage mail exchange (MX) servers. If a domain with MX records expires, it could allow an attacker to intercept emails sent to that domain. Organizations that rely on old domains for their communications or customer support are especially vulnerable to this type of email hijacking, potentially allowing attackers to intercept sensitive communications or manipulate official correspondences.

Example: In 2014, the Canadian government faced a breach when an old domain, formerly used for governmental email accounts, was allowed to expire. Attackers acquired the domain, intercepting emails that contained sensitive government information, and the breach had to be addressed at a high level to mitigate further privacy risks.

Persistent Security Risks Through Legacy DNS Records

Sometimes, organizations overlook the fact that even if they stop using a domain, legacy DNS records remain in the configuration. Attackers who acquire an expired domain can leverage these DNS records to infiltrate internal networks, exploit CNAME and subdomain connections, or even escalate privileges within interconnected systems.

Example: In 2020, IBM’s “developerWorks” portal was decommissioned, but the associated domain wasn’t immediately renewed. Attackers quickly gained control over some subdomains through CNAME records, setting up malicious payloads that impacted IBM’s network until the issue was detected and resolved. This case demonstrated how legacy DNS records could be exploited long after a service is taken offline.

Ensuring Robust DNS and Domain Hygiene

Domain name hijacking is rarely something that is done accidentally or by security researchers. Services, such as expireddomains.net or justdropped.com handily list all expired and soon-to-expire domains, making it simple for threat actors to snap up domains for future misuse.

It’s not all doom and gloom, though, as there are recognized practices that will help mitigate DNS-related vulnerabilities:

Renew Old Domain Names Regularly

Set up reminders and internal processes to track and renew owned domains, even if they aren’t in active use, to prevent attackers from acquiring them.

Audit DNS Records Frequently

Regularly review DNS records and CNAMEs, especially those that point to external resources, to ensure they’re still necessary and properly configured.

Use DNS Monitoring Tools

Deploy tools to monitor DNS records and flag unusual activity. Many DNS monitoring solutions will alert you to expired domains or point out records that may pose risks due to outdated links.

Implement WHOIS and Certificate Verification Monitoring

Regularly check WHOIS information associated with your domains and monitor for any certificate issuance under your domain names. This can help detect potential hijacks or improper verification processes involving your domains.

Educate Your Organization

Emphasize the importance of DNS and domain management across your IT and security teams. Highlight that DNS is more than just a connectivity tool—it’s a security layer, too.

Is It Really “Always DNS”?

In many cases, yes—DNS plays a foundational role in the direction, management, and indeed validation of internet traffic. Its vulnerabilities stem from the essential, yet often overlooked nuances of DNS and domain management. As these examples illustrated, DNS-related issues can range from simple misconfigurations that cause outages to severe security breaches that jeopardize sensitive information, facilitate phishing, or enable malicious actors to impersonate trusted services.

The reason DNS often seems to be at the heart of issues is its unique position as the starting point for nearly all internet activity. As we stated at the outset: DNS doesn’t just connect users to websites. When we neglect DNS records, leave them unmonitored, or improperly secured, they become weak links that attackers will exploit in creative and damaging ways.

Moreover, as organizations grow and evolve, they accumulate numerous DNS records and domains, which can be challenging to track and maintain. The risk of DNS-based attacks becomes even higher when these domains and records go unmanaged or forgotten, as attackers can seize on any lapse to execute sophisticated attacks. Cases like the WatchTowr .mobi TLD takeover demonstrate how an oversight as simple as a forgotten domain renewal can lead to significant, large-scale security risks with real-world consequences.

Ultimately, while it’s “always DNS” in the sense that DNS underpins so much of internet traffic, it’s not always DNS’s “fault” in the conventional sense. Most DNS-related vulnerabilities arise from a lack of proactive management rather than flaws in the DNS protocol itself. By staying vigilant with DNS and domain hygiene, organizations can significantly reduce these risks, making DNS a powerful ally rather than a hidden threat in the chain of internet communications.