How did someone point a sub-domain of our domain to someone else's IP address?
We own a primary domain:
- businessdts.com
I didn't know if our admins had created a sub-domain I had requested, "BDASERVER.businessdts.com.", so I just tried to connect to it with a browser and got a "not found". Then I pinged that sub-domain and got an IP address that doesn't belong to us:
- Pinging BDASERVER.businessdts.com [198.105.244.117] with 32 bytes of data
- Our domain and all sub-domains should have an IP address of [173.203.24.209]
I had the admins check all of our DNS zones and we find no instance of the BDASERVER sub-domain, (the admins had not created it yet), nor did we find any instance of the 198.105.244.117 IP address.
Doing an IP lookup, we found that 198.105.244.117 belongs to a company called Search Guide Inc. (searchguideinc.com). They appear to be a domain broker of some kind.
Am I missing something:
- How is this BDASERVER sub-domain resolving to a address that is not ours?
- How does someone hijack a SUB-domain?
Solution 1:
As the other guys here have suggested - this is a ISP norm actually. ATT does it to me as well. When the domain requested is not found, and the DNS records do not point to a default destination (you can set that up on your server that manages your DNS - more than likely you are using a standard registrar and they will manage your dns for you - just login to where you registered your domain name and click manage dns). You should add a "wildcard" redirect record. This way you will always point undefined traffic to a default webpage - or your index page of your main website. This also helps a lot if there are typos - you do not lose your traffic that way and customers or visitors are not punished by their ISP with abusive ads (I think there should be a class action against the ISPs for making ad revenue on us all - no?) Anyhow - here is a discussion on this topic you can read for more specifics. Default DNS settings
Bottom line - if you are managing your domain name and server - setup your default wildcards and you might want to also add some custom error pages to point your webserver to when someone requests a page that does not exist - add your logo and link back to your main site with a small site search script or something on it... it's so annoying to request a resource or html page from a website - even clicking on one of their links on another page on their site - and that ugly "400 Error" page comes up. So much a business can do to preserve the user experience by making sure to handle errors and keep their customers. I also recommend that you include a "REPORT BROKEN LINKS" in the modified error pages and perhaps with the default wildcard redirect landing page that can also include an automatic redirect to the index home page or other choice page if the visitor does not interact or otherwise.
I'm off topic now - but clearly - the OP needs to know a little more about what causes the ISP to be able to intercept the error... the DNS handler does not provide a useful response to the undefined subdomain requested because it is not there - so the ISP serves up a revenue generating page instead. Easy fix though!
Solution 2:
There is no record for that subdomain:
$ dig BDASERVER.businessdts.com
; <<>> DiG 9.8.3-P1 <<>> BDASERVER.businessdts.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11871
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;BDASERVER.businessdts.com. IN A
;; AUTHORITY SECTION:
businessdts.com. 300 IN SOA ns.rackspace.com. hostmaster.rackspace.com. 1487794151 10800 3600 604800 300
;; Query time: 86 msec
;; SERVER: 192.168.64.1#53(192.168.64.1)
;; WHEN: Wed Feb 22 21:29:53 2017
;; MSG SIZE rcvd: 103
It's likely that your ISP's DNS is doing what's referred to as NXDOMAIN hijacking, where they hijack NXDOMAIN DNS replies and instead of replying with a proper NXDOMAIN (as above), they give you the IP address of a "search" page, which typically gets advertisement revenue for them.
I'd talk with your ISP and ask that they stop interfering with your traffic. If they refuse, get a better ISP or use a different resolver for your traffic.
Solution 3:
Someone points to a sub-domain, or any DNS entry for that matters, that doesn't exists by doing NXDOMAIN hijacking, which means greedy DNS owners will rewrite entries to point to ads-based pages.
There is a very simple answer to this: enable DNSSEC on your domain, which will prevent anyone from giving answer from another DNS (like your ISP).