top | item 41131705

(no title)

dvzk | 1 year ago

I might misunderstand something here, but essentially, the authoritative DNS provider should only need to: (1) check for existing NS records upon registration, (2) never reassign a name server matching #1, and (3) refuse to serve DNS responses from non-assigned name servers.

It seems like the vulnerable providers either respond from or assign prior NS hosts, sometimes with randomized lottery thrown in, which only reduces the takeover probability.

discuss

meowface|1 year ago

I believe you are correct. This is how Cloudflare fixed the issue and how every other provider could fix it. Just may be (considered) a lot of work by providers that currently throw ns01.provider.com and ns02.provider.com at everyone.

Krebs's article also mentions it:

>What did DNS providers that have struggled with this issue in the past do to address these authentication challenges? The security firms said that to claim a domain name, the best practice providers gave the account holder random name servers that required a change at the registrar before the domains could go live. They also found the best practice providers used various mechanisms to ensure that the newly assigned name server hosts did not match previous name server assignments.

unknown|1 year ago

[deleted]