Search code examples
dnsregistrar

is there any scenario where an attacker could transfer or do something to my domain WITHOUT having access to my registrar panel?

My domain registrar gives me the option of locking my domain as a security feature for prevent unauthorized transfers and stuff like that.

I thought the only way to do unauthorized transfers was if the attacker has access to my account on the registrar... but in that case he also can unlock the domain, so at the end of the day I dont understand what is the utility of domain locking... I mean... if the only way he could do something is having access to my registrar panel, then he also can unlock the domain before do transfers and stuff. :-/

So my question is, is there any scenario where an attacker could transfer or do something to my domain WITHOUT having access to my registrar panel and the only way to prevent it is having the registrar-locking activated?

Thanks

Solution

  • There could be several attack vectors, including but not limited to privilege escalation, DNS exploit, SSH and so on. I'll cover two classical measures taken to protect (at least a little) a DNS zone. This answer is mainly for future reference since I neither know which registrar you are using nor how he protects its domains. My reference DNS server here is Bind, but the same logic applies to NSD, Unbound and the rest.

    The first thing is the transfer of a zone using an AXFR / IXFR request. This is done using a simple "dig @[dns_ip] [dns_zone_name] AXFR" (the IXFR query needs an additional serial parameter but is the same kind of query). To block these, ensure that your DNS server uses the following statement:

    allow-transfer { none; }; (1)

    Note that if you use slave DNS servers, you would have to put their IP addresses (or better, use keys to secure the transaction).

    The second possible kind of "attack" is updating the zone itself. This is easily blocked if you use the following statement:

    allow-update { none ; }; (2)

    Use this kind of configuration only if you use your registrar's panel, because it will prevent DDNS updates. Like the allow-transfer statement, it is possible to use keys / IP addresses to have a fine-grained control over your update policy.

    These two statements are for the sake of the example, and there is many ways to configure a DNS server without having to use a web configuration panel.

    I hope this response was clear enough and helpful.

    1: http://www.zytrax.com/books/dns/ch7/xfer.html#allow-transfer

    2: http://www.zytrax.com/books/dns/ch7/xfer.html#allow-update