Digital Ocean DNS is Susceptible to Domain Squatting
I’ve run about 10 websites on Digital Ocean over the last 10 years.
Last year I took down a website from Digital Ocean App Platform. I destroyed the instance, but left the DNS records for the domain using Digital Ocean’s nameservers.
I guess an attacker noticed that the DNS was still using Digital Ocean’s nameservers but wasn’t serving up a page.
I removed the domain from my Digital Ocean account.
The attacker added the domain to their account, and was able to redirect the domain that I own to their own website.
I didn’t notice for a while, but eventually I changed the DNS. Then I decided to re-register the domain on Digital Ocean.
That’s when I realized how they hijacked my domain.
I couldn’t add the domain to my account. Since domains are unique, Digital Ocean only allows one account to register a domain. Which makes sense.
But I own the domain!
So I contacted support, they responded pretty quickly, and they made me verify my ownership of the domain. After that they removed the domain from the other account and I could use it.
But during this process, I wish it would have been more obvious that my domain was being hijacked.
I can understand that they want no friction to adding new domains to have sasy onboarding for less technically sophisticated users. But I would propose the following changes to better secure Digital Ocean from this kind of attack:
-
Require any domain that has previously used Digital Ocean to verify before being added to a new account.
-
If you try to add a domain to your account, make it clear that the domain is in another user’s account and provide a link to the process to claim the domain.
Ideally, services should not let you use a domain with them until you verify ownership via a TXT record.
When a service acts as a steward for DNS redirects, they should be responsible to prevent hijacking via verified domain ownership.