5

I have just checked and found that I have a number of subdomains live that re-direct to sites which I don't recognise.

Is it possible for a 3rd party to own a sub-domain of my site?

From a security POV, should I be worried about these sites?

schroeder
  • 123,438
  • 55
  • 284
  • 319
John
  • 51
  • 2
  • 5
    If someone was able to affect your site without your permission, then yes, you have a security concern beyond the sub-domains. – schroeder Jan 20 '17 at 21:54

1 Answers1

4

Is it possible for a 3rd party to own a sub-domain of my xxx.com site?

No, other folks cannot own register subdomains for a domain which you have already registered.

Here's the ownership tree.

  1. The domain name (e.g. example.com) is registered by you with a Registrar. (e.g. Namecheap, Network Solutions, etc.)
  2. On the registration, you can designate Nameservers. (DNS Servers) The nameservers provide a listing of subdomains, and where they are hosted.
  3. For every subdomain, there is a designated Host. The Website and Email can be hosted separately, and you can also have separate Hosts for each subdomain if desirable.

I have just checked and found that I have a number of subdomains live, which re-direct to sites which I don't recognize.

In your case, it sounds like either a) someone has added subdomain entries to the DNS so that they are hosted elsewhere, or b) the subdomains could be hosted in the same place as your main site, but something about the website configuration is causing the redirects you describe.

From a Security POV, should I be worried about these sites?

Yes. Since this is your domain, and you control the Registration, (#1 above) you should be able to dictate what happens to all the subdomains. If you are unaware of these, you should get some IT person involved who can determine whether the faulty entry is at the Nameservers, or the Host, and help you to resolve the problem.

Feel free to ask additional questions if that would be helpful to you.

700 Software
  • 13,807
  • 3
  • 52
  • 82
  • I think Namecheap actually does let you register subdomains of arbitrary domains that aren't yours. – shadowtalker Jan 20 '17 at 20:44
  • To add to the question; does this mean that anyone can have an email associated with that subdomain e.g "Reports@subdomain.example.com"? – KingJohnno Jan 20 '17 at 20:46
  • 1
    @GeorgeBailey never mind, I just tried it and got the following message: "This sub-domain's parent domain is currently registered in namecheap under a different account. For security purposes, the domain owner is required to explicitly approve this sub-domain.Shortly, we will send a message to the administrative email listed in Whois with a link for approval. The link should be used within 2 days. Your sub-domain will become active once approval is complete." – shadowtalker Jan 20 '17 at 21:04
  • @ssdecontrol, Quite interesting to find that Namecheap offers functionality for 3rd parties to create subdomains. (requiring domain-holder approval) Note that, if domain-holder / registrant is using custom Nameservers then this feature would not work, because Namecheap can only add/remove subdomains on nameservers they control directly. – 700 Software Jan 20 '17 at 21:10
  • @KingJohnno, To create email addresses, one must handle Email Hosting (#3 above), which must be designated/authorized by the Nameservers/DNS servers (#2 above), which is ultimately designated/authorized by the domain registrant. (#1 above) – 700 Software Jan 20 '17 at 21:11