Yes, your registrar can hijack not only your MX
records, but your entire DNS.
Not only that - but they can then proceed to intercept mail sent to your domain, get a valid CA-signed SSL certificate for your domain, and host a site for your domain using the trusted SSL certificate. And DNSSEC won't prevent any of this.
One of the primary functions of your registrar is to register the nameservers for your domain. For example, if you do a whois lookup for stackexchange.com
, you'll see that the registrar for stackexchange.com
is eNom, LLC., and that the nameservers for stackexchange.com
are hosted by Google Cloud and Amazon AWS. So, the DNS for stackexchange.com
is handled by Google Cloud and Amazon AWS.
In the example that you gave in your question, cheap-unsecure-domains is the registrar for yourdomain.example
. With cheap-unsecure-domains, you specified Cloudflare's nameservers as nameservers for yourdomain.example
. So, DNS for yourdomain.example
is handled by Cloudflare's nameservers. Then, in Cloudflare's control panel, you setup your DNS records for yourdomain.example
, including your A
records, MX
records, etc.
So if cheap-unsecure-domains wanted to intercept your mail - they wouldn't need to hack into your account at Cloudflare to change your DNS records. They would simply change the nameservers for yourdomain.example
to their own, then create MX records for yourdomain.example
in their nameservers to point to their own mail servers. Then, they would start receiving mail sent to your domain.
Interestingly, they could start receiving mail for yourdomain.example
securely using SMTP STARTTLS, without even getting an SSL certificate for yourdomain.example
. They could just use their own certificate. See https://blog.filippo.io/the-sad-state-of-smtp-encryption/.
Now, things get more insidious. They can start receiving mail for hostmaster@yourdomain.example
(or admin@yourdomain.example
, or any of the other designated approved email addresses used for SSL domain validation). Then, they can request a SSL certificate for yourdomain.example
from a trusted CA, and when the CA sends the verification link to hostmaster@yourdomain.example
, they'll receive it, and the CA will issue the certificate. Now, they can setup an A
record for www.yourdomain.example
, and run a site with a valid certificate for www.yourdomain.example
.
At this point, you might be wondering - can't this type of attack be prevented using DNSSEC? The answer is no. DNSSEC records are stored in the DNS for the domain. When the registrar changes the nameservers for yourdomain.example
to their own, the DNSSEC records that you created for yourdomain.example
are gone, along with all of the other DNS records that you created. See https://moxie.org/blog/ssl-and-the-future-of-authenticity/ for more info.