How I hijacked the top-level domain of Congo, .cd

Not the first issue with the Congolese ccTLD. Enjoy the read:

How I hijacked the top-level domain of a sovereign state

Note: This issue has been resolved and the .cd ccTLD no longer sends NS delegations to the compromised domain.

TL;DR: Imagine what could happen if the country-code top-level domain (ccTLD) of a sovereign state fell into the wrong hands. Here’s how I (@Almroot) bought the domain name used in the NS delegations for the ccTLD of the Democratic Republic of Congo (.cd) and temporarily took over 50% of all DNS traffic for the TLD that could have been exploited for MITM or other abuse.


https://labs.detectify.com/2021/01/15/how-i-hijacked-the-top-level-domain-of-a-sovereign-state/

 

A rookie mistake by TLD.
It's 2021, and people still let important domains drop...

 

Crazy. There are some smart dudes out there. Sentries of countries and their Internets. Never really thought about it before, but nameservers have to be valid domains as well.

I imagine this kind of negligence might be in part due to the name being overlooked for renewal because of its non-appeal. Someone in billing was like, "why would we own this? Eh, not important".

Interestingly, the nameservers they moved to was the same name but in the .net TLD, and reg'd in 2019.

A way around never forgetting to renew is having a custom nameserver using the same domain name I suppose. Having multiple nameservers in a couple of different TLDs adds a layer of redundancy too.

 

It's also never a good idea to list your nameserver domain for a BIN price on a sales platform.

If it sells, you could instantly lose hosting for domains and all your emails accounts.

 

But I mean... who would do this?

If you're using the domain for something that important, why would you even have it listed for sale?

 

In the real world mistakes happen all the time.

 

The same person who forgot to renew their nameserver domain?

You never know... it's worth stating the obvious sometimes

 

What people are ignoring is that he wasn't ethical enough to report the expiring name server and instead exploited it by registering it. I know possibly he wasn't aware but being a co-founder of a company which deals in cybersecurity, he should have been aware of the SOP of how vulnerabilities are discovered and reported. Very careless act.

If he was supposed to be acting in good faith, why not alert the authorities (IANA) first as it could be a major incident if someone was able to drop catch it before it was finally available for registration again?

Cheers

 

"In the end, the Congolese government didn’t bother asking for the domain back. It spun up an entirely new but similarly named domain — scpt-network.net — to replace the one now in Almroth’s possession.

We reached out to the Congolese authorities for comment but did not hear back."

https://techcrunch.com/2021/01/15/congo-comandeered/

 

Lol I glossed over that but now realized he could've sent what may have perceived to be an outbound sales email lol

 

like my comment,

if you read all but didn't understand anything because we dont know what are these & why!!!!

 

cloudflare.com = domain + using for their own ns + used for millions others ns = We Shall Not Let This Expire or Bad Things Might Happen

 

Yeah, it amazes me they create a single point of failure for every single user. Why they don't use at least one additional TLD, preferably not verisign operated, for their DNS is beyond me.

Always a good thing, like you mentioned earlier in this thread.

 

ty