Researcher gained control of four of seven io domain name servers

Security researcher Matthew Bryant was able to register four of the io domain’s seven name servers, which would have allowed him to redirect DNS requests for all domain names on the domain.

Bryant describes his findings in a blog post. He states that the consequences are serious, because there was a high chance that people would connect to his hijacked name servers. For example, he could have redirected visitors from a legitimate io site to a malicious site. He explains that the io-tld does use dnssec, so sending custom dns info doesn’t work. However, support for the technology among providers is low, so this would not have mattered much, according to Bryant.

He found that he could register the four name servers in question when he mapped several TLDs one Friday night. Via an API from registrar Gandi, he received a notification that a number of io name servers were available for registration. Because he had seen this before and it was usually a false alarm, he tried to register one of the servers for $90. Then on Wednesday, he received a notification that his order was approved and that his domains are active.

It turned out that he was indeed in control of the name server and that he was getting requests from all over the world. As a first measure, he disabled the BIND server, leaving the requests handled by the other servers. His first attempt to reach the administrator of the io domain via the available contact details was unsuccessful. As an additional measure, Bryant then also decided to register the other name servers. After a phone call, he was then given the correct address to contact and his orders were reversed the next day.

Bryant argues that a quick response would not prevent all damage, as it often takes time for the cached results to disappear from the various resolvers.

Registration confirmation