-1

I have a client that has their name services done through some third part. The domain was registered through Godaddy (yet a different third party). The name service provider had their domain names hijacked (don't know how) so the name servers my client uses became unreachable or compromised.

Some how the name service provided was able to get the DNS to resolve using different name servers. I am baffled. How is it that the service provider can alter the name servers for the client's domain?

Abbreviated explaination: *Godaddy Registrar for example.com lists ns2.ispnameserver.com and ns2.ispnameserver.com as name servers.

*ISP provides name server for example.com, manages ns1.ispnameserver.com and ns2.ispnameserver.com

ISP loses control of *ispnameserver.com Somehow ISP is able to provide new name servers ns1.newispname.com ns2.newispname.com and magically DNS uses ns1.newispname.com and ns2.newispname.com to resolve queries for example.com.

In essense ISP was able to highjack control of client's example.com domian. Whois still list ns1.ispnameserver.com.

How was the ISP able to do that? What organization can provide that service?

Actual Results from dig and whois. Note it's been this way for at least a week.

terary
  • 99
  • 6
  • Your story is quite convoluted but in general it is fairly typical that resellers have (some) control over the services they sold to their clients. – HBruijn Feb 17 '18 at 13:18
  • 2
    Whois has nothing to do with DNS. While it does also show a set of nameservers, Whois is generally some informational text. It doesn't have any value in DNS queries or whatsoever. As @HBruijn said, it is likely that the reseller has access to adjust those records, probably they weren't yet propagated to Whois data. – Florin Asăvoaie Feb 17 '18 at 13:29
  • 1
    The Registrar (Godaddy, unless the domain was transferred to another Registrar) controls the designation of the name servers. You probably need to change the passwords at Godaddy, and then select the name servers you want. If it is not registered in a Godaddy (or other Registrar) account that you/your client controls, you have a problem. Particularly, the records probably don't show that you/your client "owns" the domain. It is the Registrar that _controls_ the domain, and only the Registrar (on behalf of the domain account holder) can change name servers. – Colt Feb 17 '18 at 16:53
  • 1
    Does your client have a GoDaddy account under that registered email address, or not? And do they have access to that email address? – Michael Hampton Feb 18 '18 at 00:24
  • @MichaelHampton I assume the client has access to the listed e.mail address, while the ISP does not – terary Feb 18 '18 at 00:28
  • If you actually intend to recover this situation, this is something you need to _know_. Go find out. – Michael Hampton Feb 18 '18 at 00:29
  • My question is more about how was the ISP able to change name servers that dig is using, without the client's involvement and why is dig resolving to correct name servers while Godaddy (registrar) records reflect bad name servers. My understand was/is if eventually dig will resolved to the name servers listed in the whois record. – terary Feb 18 '18 at 00:43
  • Question: Are you still having some kind of issue actively, or are you attempting to form a RCA? – Spooler Feb 18 '18 at 03:16

2 Answers2

1

It goes like this

  • Registrar controls/points to what DNS servers respond to a domain. That is called the SOA (Start Of Authority)

  • DNS provider to which name servers are pointed to can not change that info. They control everything, except that when it comes to DNS

Back to specific scenario at hand. One possible scenario is that the DNS provider has, or had, access to Godaddy and logged in to change the name servers.

One common scenario that often happens to is that either third party companies, either have all control (i.e. that DNS provider may have done the setup for the client) or at some point were given access to the registrar. Either way, you probably want to change the Godaddy password.

On the other hand, if your client does not have the godaddy password, possible he never did and that DNS provider, or someone else, did all this setup and that they did what they needed to do to get things resolved. It is good they resolved the issue, but that still does not change the fact that someone must have access to Godaddy other than your client.

Francisco1844
  • 260
  • 1
  • 8
1

The Actual Results in the question are not as complete as they could be, but this is what it looks like to me:

Nothing in what was posted suggests that the delegation information has actually changed, rather that the zone on the nameservers in the delegation has different (inconsistent) NS records for your zone.

A dig trace may be helpful, that will show both the delegation and the authoritative records (while your "Actual Results" presumably only showed authoritative):

dig +trace +add example.com NS

What you control through the registrar is the delegation information, ie, the NS (and glue A/AAAA as necessary) records that the nameservers for the parent zone should send in their referral response.
This set of NS records is supposed to match the NS records in the actual authoritative zone, but from the looks of it, the scenario in your question is that the authoritative zone alone has changed in this regard.


Sidenote on WHOIS vs DNS:

WHOIS is a view into the registry's and/or registrar's (depending on how the registry operates) meta information for registered domain names. It serves no purpose in actual operations, but provides human consumable information on domain names.

To be sure about the current operational reality, always consult DNS rather than WHOIS. In the question your representation of the delegation is from WHOIS rather than DNS (as would have been available with the dig trace command from above). This creates some degree of uncertainty, but I would expect that you will find that WHOIS output indeed does match the delegation as found in DNS (which will then not have changed).

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90