Navigation

Stealing the US Government by Stealing .gov Domains

The .gov is the United States Government’s domain run by dotgov.gov which is part of the General Services Administration. This top-level domain is home to such entities as cia.gov, fbi.gov and everyone’s favorite spy agency nsa.gov.

Stealing the US Government .GOV Domain Names

I was taking my stroll down the internet when I noticed a peculiar thing the yesterday, let us see if you notice it too:

ross@maui:~$ dig @a.root-servers.net gov. ns
; <<>> DiG 9.7.1-P2 <<>> @a.root-servers.net gov. ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6981
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 7
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;gov. IN NS
;; AUTHORITY SECTION:
gov. 172800 IN NS g.usadotgov.net.
gov. 172800 IN NS a.usadotgov.net.
gov. 172800 IN NS b.usadotgov.net.
gov. 172800 IN NS d.usadotgov.net.
gov. 172800 IN NS f.usadotgov.net.
gov. 172800 IN NS c.usadotgov.net.
gov. 172800 IN NS e.usadotgov.net.
;; ADDITIONAL SECTION:
a.usadotgov.net. 172800 IN A 76.73.18.236
b.usadotgov.net. 172800 IN A 206.204.217.151
c.usadotgov.net. 172800 IN A 69.72.142.35
d.usadotgov.net. 172800 IN A 204.168.112.71
e.usadotgov.net. 172800 IN A 213.165.80.240
f.usadotgov.net. 172800 IN A 66.207.175.172
g.usadotgov.net. 172800 IN A 64.62.200.134
;; Query time: 37 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue Jan 4 07:09:30 2011
;; MSG SIZE rcvd: 258

If you noticed that the authoritative name servers for .gov are [a-g].usadotgov.net you are correct. Why would you use a .net domain which anyone can own, to be referenced as your authoritative name servers for .gov which is severely restricted and can only be registered/maintained through dotgov.gov. Now, lets look at usadotgov.net which is a real domain:

ross@maui:~$ whois usadotgov.net
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: USADOTGOV.NET
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: DNSSEC10.DATAMTN.COM
Name Server: DNSSEC11.DATAMTN.COM
Name Server: DNSSEC12.DATAMTN.COM
Name Server: DNSSEC14.DATAMTN.COM
Name Server: DNSSEC7.DATAMTN.COM
Name Server: DNSSEC9.DATAMTN.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 13-aug-2009
Creation Date: 27-jul-2009
Expiration Date: 27-jul-2014
>>> Last update of whois database: Tue, 04 Jan 2011 07:12:14 UTC <<<
NOTICE: The expiration date displayed in this record is the date the
registrar’s sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant’s agreement with the sponsoring
registrar. Users may consult the sponsoring registrar’s Whois database to
view the registrar’s reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services’ (“VeriSign”) Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
The data contained in GoDaddy.com, Inc.’s WhoIs database,
while believed by the company to be reliable, is provided “as is”
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, Inc. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty. In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam. You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.
Please note: the registrant of the domain name is specified
in the “registrant” field. In most cases, GoDaddy.com, Inc.
is not the registrant of domain names listed in this database.
Registrant:
General Services Administration
10304 Eaton Place
Attn QTDC, 2E08
Fairfax, Virginia 22030
United States
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: USADOTGOV.NET
Created on: 27-Jul-09
Expires on: 27-Jul-14
Last Updated on: 13-Aug-09
Administrative Contact:
<removed>
Technical Contact:
<removed>
Domain servers in listed order:
DNSSEC7.DATAMTN.COM
DNSSEC9.DATAMTN.COM
DNSSEC10.DATAMTN.COM
DNSSEC11.DATAMTN.COM
DNSSEC12.DATAMTN.COM
DNSSEC14.DATAMTN.COM

This real domain has records which are listed for .gov’s name servers and is registered at GoDaddy of all places and uses name servers based outside the USA (if you don’t believe me traceroute to DNSSEC7.DATAMTN.COM) provided by a third party. For those of you who aren’t familiar GoDaddy is the largest domain registrar in the world and where a number domain thefts take place (just due to their sheer size). If you were to do something like this you might at the very least go with a company that specializes in protecting high value domains like Mark Monitor or CSC Global.

So what is the issue here, why are you writing about this?

Well if someone can get into that GoDaddy account where usadotgov.net is registered, they can modify/transfer/push that domain (it has happened to high profile domains before [to note baidu.com is now at MarkMonitor]). From there they can do anything they want such as changing usadotgov.net’s glue records for the a-g.usadotgov.net name servers redirecting lookups for .gov (yes all the .gov domains like cia.gov, fbi.gov, nsa.gov, etc.) to other servers. From there they could modify records for .gov domains as they see fit. Alternatively they could just remove the glue records and name servers for usadotgov.net and the .gov domain would go dark. There are many possibilities here like maybe just changing one glue record (or just adding a second ip to it) to siphon off traffic to just some records you want to modify e.g. change the doj.gov’s mail server record add a second ip to sniff mail (then forward it on of course) going to the Department of Justice. Any of the endless possibilities scare me.

Why did this happen?

You would have to ask the General Service Administration and dotgov.gov administrators of why they put one of the most valuable top-level domains at risk but I do have a theory. If you look at usadotgov.net it was registered in July, 2009 and has nameservers of *.datamtn.com. If you look at http://www.datamtn.com you’ll notice they offer DNSSEC services, if you go on www.dotgov.gov you’ll notice they said they just deployed DNSSEC. So my guess is that the GSA contracted with Data Mountain Solutions to deploy DNSSEC and this is what we got.

What now?

Well, I hope someone in charge at dotgov.gov goes on to change this back so .gov is served exclusively by a domain ending in .gov for a bit better security, kind of like .mil is.

Let me know if you have any questions/comment/worries and if you need to get in touch with me please use the contact form.

Notes

You’ll notice nic.gov and datagov.gov use the same *.datamtn.com domain servers to resolve their names. Not sure if I would really want a private third party running the domain name servers for the registrar.gov, especially with name servers outside of the USA.

Update

Derek McUmber pointed out a good point that IANA actually glues the records of a.usadotgov.net in the root zone via http://www.iana.org/domains/root/tld-change-template.txt

Update 2

Derek and I had a good talk on the phone and some things I brought up are that if the domain usadotgov.net does get hijacked and the person does fiddle with things it could cause some issues if you are using a non-verifying DNSSEC resolver (not only this but .net domains can’t be signed at the registry yet) but the question becomes does the resolver go to the root or the .net for the information for a.usadotgov.net and do all resolvers work the same. What he was trying to convey is that since the records are signed and the government uses verfying resolvers there should be no issues.

I also brought up the fact that a country could send back spoofed records from the root servers as has happened before. If I can spoof a.usadotgov.net and look like I’m answering from l.root-servers.net then what happens. Hopefully this will all go away as DNSSEC is more widely deployed.

Update 3

I asked Paul Vixie the question below as I didn’t want to keep going back and forth on the issue.

“I guess my question is what happens to .org if usadotgov.net is hijacked, what damage can truly be done.”

His reply:

Such a hijacker could make any .gov name say anything they wanted it to say, as long as the software looking up the bad data wasn’t dnssec-aware.

More About…

Keywords:
Companies:

Uniregistry.com

Leave a Reply

Comments should be respectful and on-topic. Read our full comment policy (opens in new window). Comments may be moderated; if not posted immediately, it is awaiting review and will be posted soon.

 

3 Responses to “Stealing the US Government by Stealing .gov Domains”

  1. J says:

    Cia.gov is a quality website. I use the website to prepare random reports on comparing and contrasting nations. The content is extremely accurate. Thanks for sharing the possible hack attack. Your article increases public awareness, keeping domain owners alert.

    I come across many people on Craig’s List, who usually ask me to take snapshots to prove ownership. I already place a link to the sales page on Sedo. However, they think I’m gullible. I respond back that Sedo is one of the top domain sales platforms in the world.

    I’ll receive a reply that they need the information to present to their attorney. You have to be careful with the information you share with potential buyers. There are many honest people, but then dishonest scam artists look to take advantage. Thanks for article and information.

  2. Astrid William says:

    This is a scary thought for a domain name owners. Why can’t people just spend more of their time working on productive hacks?

    Thanks for sharing this information!

  3. Aishwar Sharma says:

    Thanks for this article, Ross. It’s scary how prolific domain name theft has become. There are some really big cases of such in the news that just boggle my mind.

    It’s great that there are security experts checking on topics like this and raising awareness to us and government administrators of the perils of not properly attending to DNS registration.

Domaining magazine site recommended by Domaining.com
Copyright © 2010-2014 DomainSherpa. All rights reserved. Reproduction without explicit permission is prohibited.
About  |  Affiliate Links  |  Privacy  |  Terms  |  Contact Us