A Mistake Made By .io Registrar Highlights Problems With Vanity Domains
Researcher Matthew Bryant was able to successfully take over the entire .io TLD after a slip-up by its operating registry left authoritative nameservers – a vital part of the DNS system which controls where requests are routed – freely available.
The mistake was noticed by Bryant earlier this month while conducting scans of DNS servers (he has a history of finding security vulnerabilities with other TLDs). Unexpectedly, he found that one of .io’s authoritative name servers was available to register. Authoritative name servers are DNS servers that control resolution of all domains for a given zone, in this case .io. This essentially gives you complete control of the zone because you can now control what IP address any domain routes to.
Not only is that a major security vulnerability – because requests for LegitimateSite.io could be routed to any server while still appearing to be the correct domain – but this could also be used in a denial of service attack to make .io sites inaccessible.
Upon further investigation, Bryant was able to register the domains used by four of the seven authoritative nameservers for the .io TLD. Those domains had been available for weeks, available to register by anyone willing to pay the $90 fee. Once again we are lucky that researchers are looking more closely at internet infrastructure than criminals.
The error has highlighted just how much trust and vulnerability lies with registries, a fact often ignored when we choose to use “vanity” domains, which are often operated by smaller and – in this case – poorly managed registries.
Officially, .io is a ccTLD, or Country Code Top-Level Domain, intended to be used by the Chagos Archipelago in the Indian Ocean. However it has become popular amongst tech-related services and companies due to its similarity to “I/O,” which means Input/Output.
Domains that incorporate the TLD to spell a word or appeal to a niche are known as “vanity” domains. Libya’s .ly TLD is probably the most popular vanity TLD, known for sites such as Bit.ly and Owl.ly.
.Ly has also had its own problems – the realities of being operated by an oppressive regime at war has tempered the popularity of their ‘fun’ TLD. .Sy, operated by Syria, was also a popular vanity domain until it became violation of US law to pay for them.
As for .io, the nameservers became available after Internet Computer Bureau, the company given legal authority to operate the .io domain, outsourced most of the operation to another company, Afilias, which specializes in managing TLD
Afilias told The Register that “ordinarily, when a TLD transitions to the Afilias system, 100 per cent of the DNS is also moved to Afilias nameservers.” However, in this case, Internet Computer Bureau held onto operation of the nameservers, and Afilias did not properly mark all of those domains as unavailable.
In 2014, Paul Kane, Director of Internet Computer Bureau, said that they had been given the rights to operate .io “more or less indefinitely, unless we make a technical mistake.” This certainly counts as a technical mistake, but maybe they will be given another shot since no harm was done.