Several news items were released this week around a misconfiguration in domains using authoritative DNS providers called “Sitting Ducks.” In this misconfiguration, domains are delegated to a managed authoritative DNS provider, and either the zone is never set up, or the domain owner fails to renew their services with the provider. This results in a situation where the domain is not configured on the DNS provider, and they start to respond with NXDOMAIN or REFUSED responses for the domain. A subset of this attack involves subdomains that have also been delegated and not configured.
To exploit this misconfiguration, attackers identify a domain that has been delegated and not configured by the authoritative DNS provider. They then get an account on the authoritative DNS provider and configure the domain with resource records. This effectively hijacks the domain and puts it under the attacker’s control. This is compounded by the fact that since the domain was not operational previously, this hijack has a low chance of being detected by the domain owner or the authoritative DNS provider.
There were 3 initial posts on Sitting Ducks:
- https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/
- https://eclypsium.com/blog/ducks-now-sitting-dns-internet-infrastructure-insecurity/
- https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-become-a-sitting-duck/
The evolution of the Sitting Ducks vulnerability
This is not a new attack technique. In the posts, researchers cite prior vulnerability notifications from 2016. Additional research was done by an individual who tested the technique on a variety of authoritative nameservers to determine if they were vulnerable to this technique. UltraDNS was found to not be vulnerable for reasons we will discuss later.
The latest development is that the attack is being used by specific threat actor groups. In the research cited, attackers were able to hijack domains and configure them to be used in phishing attacks, as command and control for malware, or to run beacons for hacking tools such as Cobalt Strike.
UltraDNS and the Sitting Ducks vulnerability
As one of the largest managed authoritative DNS providers, we have been asked questions about this, such as:
- Is UltraDNS vulnerable to this attack?
- How is UltraDNS protected from this attack?
- Does Vercara have any tools that can help to prevent, detect, or correct domain hijacks using this technique?
- What other resources does Vercara provide around Sitting Ducks and dangling nameserver delegations?
UltraDNS is Vercara’s authoritative DNS platform. UltraDNS has two key features to minimize the likelihood of a domain being hijacked. The first one is that we assign customers to a pool of nameservers (e.g.: pdns196.ultradns.com) that are dynamically assigned when a customer adds a domain. The customer then goes to the registrar to change the domain nameservers to the ones that were assigned. To hijack a domain, the attacker would have to add the domain and be provisioned with the same nameservers as the delegation for the domain.
The second one is that we initiate a validation process to identify that the domain is owned by the customer and that it has been delegated correctly. As part of this process, we check that all the domain’s assigned nameservers have been delegated correctly. Until a domain has been validated, we will respond to queries with a REFUSED response code, making the domain effectively suspended.
How Vercara can help
UltraDNS provides several tools to help domain owners. For domains set up on UltraDNS, we provide a DNS Health Check Tool, which tests for delegated subdomains that can be hijacked in this manner.
For other domains that do not use UltraDNS, we have a subset of the same checks as in DNS Health Check in a public-facing tool.
Vercara operates a Protective DNS service called UltraDNS Detection and Response that functions as a filtering DNS resolver. It analyzes DNS queries and all the supporting infrastructure the domain and FQDN depend on to identify and block malware, phishing, and other attacks. It blocks malicious domains after they have been hijacked using the Sitting Ducks technique.
Other resources
There are other resources that can help outside of what Vercara provides.
Our friends at the Shadowserver Foundation operate a notification system where organizations can register their domains, network blocks, and other infrastructure information. Once registered, organizations will be notified of Sitting Ducks and other vulnerabilities, misconfigurations, and attacks coming from their networks.
Our friends at Hyas and Silent Push aggregate and analyze domain information and have analysis platforms that can help you search for domains that you own that are Sitting Ducks. Additionally, these platforms can help Security Operations Center analysts find other related attacks, such as phishing and malware command and control.
Our team is here to help
As always, if customers or anyone else have questions or concerns, they can contact Vercara through their account team or the “Contact Us” form on our website.
