Digital Ocean DNS is Susceptible to Domain Squatting

I’ve run about 10 websites on Digital Ocean over the last 10 years.

Last year I took down a website from Digital Ocean App Platform. I destroyed the instance, but left the DNS records for the domain using Digital Ocean’s nameservers.

I guess an attacker noticed that the DNS was still using Digital Ocean’s nameservers but wasn’t serving up a page.

I removed the domain from my Digital Ocean account.

The attacker added the domain to their account, and was able to redirect the domain that I own to their own website.

I didn’t notice for a while, but eventually I changed the DNS. Then I decided to re-register the domain on Digital Ocean.

That’s when I realized how they hijacked my domain.

I couldn’t add the domain to my account. Since domains are unique, Digital Ocean only allows one account to register a domain. Which makes sense.

But I own the domain!

So I contacted support, they responded pretty quickly, and they made me verify my ownership of the domain. After that they removed the domain from the other account and I could use it.

But during this process, I wish it would have been more obvious that my domain was being hijacked.

I can understand that they want no friction to adding new domains to have sasy onboarding for less technically sophisticated users. But I would propose the following changes to better secure Digital Ocean from this kind of attack:

1. Require any domain that has previously used Digital Ocean to verify before being added to a new account.

2. If you try to add a domain to your account, make it clear that the domain is in another user’s account and provide a link to the process to claim the domain.

Ideally, services should not let you use a domain with them until you verify ownership via a TXT record.

When a service acts as a steward for DNS redirects, they should be responsible to prevent hijacking via verified domain ownership.