Preventing lame delegation hijacking

A lame delegation occurs when a name server (NS) record for a domain or subdomain specifies an authoritative name server that is incorrect or improperly configured and cannot serve DNS data for the domain.

Draft comment: nadine.mootoo@ibm.com
is this a concept topic? If so, heading should be "For conceptual and reference information, use noun phrases for headings."

For example, if the NS record at the top-level domain (TLD) or parent zone points to IBM® NS1 Connect® name servers, but the corresponding DNS zone is not published to those NS1 Connect name servers, this is considered a lame delegation. In addition to prolonging the DNS resolution process, lame delegations present a security risk and must be corrected as soon as possible.

Lame delegation hijacking refers to a situation in which a person or entity takes advantage of expired or incorrect name server domains to manipulate DNS resolution. Hijacked domains are often used to redirect incoming DNS traffic to fraudulent or malicious content while still appearing as though the domains are owned and operated by the domain registrants.

Following are best practices to help prevent lame delegation hijacking:

  • Do not update the name server delegation until you have created the DNS zone on the NS1 Connect platform and are ready to initiate traffic flow through NS1 Connect authoritative name servers. In addition to reducing the risk of lame delegation, creating the zone first helps avoid a zone collision if the zone is on hold by the NS1 Connect platform pending owner verification.
  • Maintain a healthy DNS lifecycle management process by checking your name server delegations at the domain registrar, primary zone, or parent zone.
  • Configure DNSSEC on your primary zones and subdelegations to apply cryptographic authentication, allowing recursive DNS resolvers to validate responses from the authoritative name servers.

Controls to prevent lame delegation hijacking

NS1 Connect has controls in place to help prevent lame delegation hijacking and to enhance zone ownership security.

  • NS1 Connect puts a hold on (parks) zones that are delegated to NS1 Connect authoritative name servers, but the zones are not yet created in NS1 Connect.
  • Subdomain zones cannot be created in an account other than where the parent zone exists.
  • Parent zones cannot be created in another account if a subdomain zone exists in another account.

Parked zones

Each day, NS1 Connect scans the registries for domains that are delegated to NS1 Connect name servers, but are not created in NS1 Connect. NS1 Connect automatically parks those zones in an internal account to prevent malicious actors from hijacking the zone.

If a zone is parked, and you try to create that zone in NS1 Connect, a zone collision occurs. You must contact IBM support so that they can verify that you are the owner of the domain.

After they verify that you are the owner, IBM support removes the zone that has a lame delegation from the parked state. You can then create the zone in NS1 Connect.

Attention: You must create a zone before NS1 Connect runs the next daily process that automatically parks zones with lame delegation. If you don't create the zone by then, NS1 Connect automatically parks the zone again.