back to article Bloke takes over every .io domain by snapping up crucial name servers

A blunder during a handover of the .io registry allowed a security researcher to potentially take control of more than 270,000 .io domains. Late Friday, Matthew Bryant noticed an unusual response to some test code he was using to map top-level domains: several of the .io authoritative name servers were available to register. …

  1. Anonymous Coward

    It was predicted by Arthur C. Clarke...


    1. Destroy All Monsters Silver badge

      Re: It was predicted by Arthur C. Clarke...

      Because that is now a subdomain of .africa?

  2. Nolveys

    Such a missed opportunity for the mass promotion of midget hang glider porn.

    1. kain preacher

      I wanted janet reno hillary porn.

      1. Anonymous Coward
        Anonymous Coward

        some things cannot be unseen.

      2. kain preacher

        Man I thought el reg folks would never down vote a mans choice of porn. Goes back to drawing huge tits on trump to fap to.

    2. caffeine addict

      "midget hang glider porn"

      Paper airplanes made from grumble mags?

  3. Mark 85

    Matthew Bryant

    Could it be? Enquiring minds and all that....

    1. Destroy All Monsters Silver badge

      Re: Matthew Bryant

      Somebody must ask him whether he hates anything Sun and Solaris.

      1. asdf

        Re: Matthew Bryant

        >Somebody must ask him whether he hates anything Sun and Solaris.

        Was pretty obvious if he wasn't collecting a paycheck directly or indirectly from HP(E now) he was their biggest fanboi.

    2. paulf

      Re: Matthew Bryant

      "The .io registry lists seven such name servers – and Bryant managed to take control of four of them for $95.99 apiece."

      This enquiring mind would be interested to know if he got a refund on his $383.96, in addition to any bug bounty he may have qualified for.

  4. Steve Knox


    Also, it's doubly worth pointing out that DNS lookups are often cached, so the chances that a lookup will go all the way to the authoritative servers, and hit one of the hijacked ones, is low.

    On the other hand, for exactly the same reason, any lookup which did hit a hijacked server might remain cached by non-authoritative name servers and be served up to all of their clients until either the operator of the caching servers finds out and clears the suspicious records or the TTL (which a malicious actor might set quite high*) expires...

    * The TTL field in the DNS specification was originally a 32-bit signed integer, allowing values over 2 billion seconds (~68 years). Later clarification required that negative values be treated as 0, but still permits a 68-year positive TTL.

  5. Alister

    So he didn't register the name-servers as such, just the domains that point to them.

    Slightly strange though, it's unusual for a name-server record to be on the root of a domain, normally you'd have an A record, such as ns1.domain.tld pointing to each name-server, but in this case the .io namespace was including domain.tld as a DNS server. Seems a waste of a domain.

    The other ones, on the domain are more conventionally set up.

  6. myithingwontcharge

    Glue records?

    This sounds like an almighty cockup. Since his nameservers were on the same domain, the .io TLD would need active glue records for his server names under .io, which it seems were actually present.So maybe someone at .io removed or renamed their servers but forgot to remove the glue records?

    While they could have fixed this by removing those records and allowing him to keep the domains which would then be pointless, it sounds like they revoked his actual domain name purchases. Which doesn't in itself sound enough to properly fix the problem?

  7. Gene Cash Silver badge

    "its official administration email bounced"

    FML. I'd say "who put these 'tards in control" but we have Trump and Brexit, so that question's answered.

    "Bryant told us he received "gigabytes" in DNS queries from clients."

    Don't serve them. That'll get you a call back quick!

    1. Doctor Syntax Silver badge

      "Don't serve them. That'll get you a call back quick!"

      According to TFA he didn't. That would mean that the query would then fall back to another server until it found one that did.

  8. Anonymous Coward
    Anonymous Coward


    IO, IO its off to pwn we go.

    With a script and a wave its time to pwn


    Are there only 7 servers because of some linknto Snow White?

    They should named them accordingly.

    1. Brewster's Angle Grinder Silver badge

      Re: Iiiiiioooooo

      Well it appeared they had four dopeys. And now they have more than one grumpy.

  9. Halfmad

    "Bloke takes over every .io domain by snapping up crucial name servers"

    then a few paragraphs down

    "It's worth pointing out that owning four of the seven authoritative name servers doesn't grant full control over .io."

    So which is it el 'reg?

    1. Doctor Syntax Silver badge

      "So which is it el 'reg?"

      Oh, come on. You know the rules round here. A headline needs only have a passing resemblance to the article's content.

      In this case the resemblance is that nearly half of DNS queries for any of all the .io domains could have become dependent on one of the server domains he'd taken over. ISTM that that's a better than average justification for an el Reg headline and a rather alarming one at that.

      1. sabroni Silver badge

        90% of the time

        it works everytime!

        1. Tom 38

          Re: 90% of the time

          One in a million shots come good nine times out of ten, according to the books I read.

  10. Mr Dogshit

    Never fucking heard of it


    1. Bronek Kozicki

      Re: Never fucking heard of it

      For example, which appeared in El Reg comments section not too long ago.

    2. WibbleMe

      Re: Never fucking heard of it

      Indian Ocean

      1. petef

        Re: Never fucking heard of it

        Rather less than the ocean, IO is British Indian Ocean Territory, population ~2,500.

    3. breakfast Silver badge

      Re: Never fucking heard of it

      It has some very high profile users - for a long time Old MacDonald hosted his farm at

      1. Anonymous Coward
        Anonymous Coward

        Re: Never fucking heard of it

        Dont forget about the subdomains on that farm.

        On that farm he had:

    4. EJ

      Re: Never fucking heard of it is a pretty neat site.

  11. WibbleMe

    Check Check and check again.... clearly the people running this were privaltly educated

    1. sabroni Silver badge

      privaltly educated


  12. Bronek Kozicki

    put a NS of a domain

    ... inside the domain for which NS is serving. For example , NS for .io inside .io domain. ALL OF THEM. I think whoever designed it, missed a trick. If I were to do it myself, at least some of the servers would be under different domains, to provide some redundancy.

    1. Mike007 Bronze badge

      Re: put a NS of a domain

      You seem to misunderstand the concept of redundancy with regards to DNS. Adding additional failure points is not "redundancy".

      If you have all the servers for under then this should be a well considered decision because a failure of EITHER or will cause problems. However if you are talking about dedicated DNS servers then putting them all under is the most optimal configuration in terms of both performance and reliability. Queries will go directly instead of resolvers having to do an entire extra DNS traversal, and the only thing you rely on is the parent servers for .com - if they go down then isn't resolving, is it?

      A TLD should not be dependent on anything except the root zone, using another TLD will either involve delays in resolving your TLD or will require that you get authority to add glue records to the root under someone elses zone. If you do the latter it would be functionally equivalent to using your own TLD, with added paperwork and failure points.

      In short, "Using the same TLD" is only a silly idea if that TLD is a different one to the one the domain is under. Putting your name servers under your own domain, on the other hand, is the correct and best way to do it.

      Of course the question then becomes what the root referrals looked like - correct IPs, or his IPs?

  13. Adam 1

    Curious. Could he have generated a wildcard certificate for *.io?

    Imagine the fun he could have had if this was live....

  14. Pascal Monett Silver badge

    "unaware of any issues arising from this brief exposure."

    Oh well then it's all right, isn't it ? Everything peachy. It's not like procedures should exist so that the possibility of issues should not happen. Not at all. Procedures are only invoked when issues do arise - so that way we have someone to blame. The rest of the time, no need for procedures.

    1. Terry 6 Silver badge

      Re: "unaware of any issues arising from this brief exposure."

      Stuff procedures. Someone was presumably being paid good money to make sure they know what is going on and prevent cock ups.

  15. Anonymous Coward
    Anonymous Coward

    DNS administration

    dlint people. dlint, for the love of all that's holy. Run it whenever you make a significant change to DNS and run it periodically to make sure nothing went pear-shaped on you. If four of your seven name server entries fail to resolve, figure out how to fix that. Now go back to your corner and read the cricket book.

  16. Alistair

    unaware of any issues arising from this brief exposure.

    Perhaps a future public indecency charge?

  17. benderama

    He should have offered the domains to HoTMaiL.

  18. asdf

    DNS scares me

    Personally run dnssec at home but have a feeling DNS is going to be one of the first causalities of the great cyber war. I don't think policy makers understand how much its become critical infrastructure and what a charlie foxtrot security has been with it for a very long time (definitely baked in after the fact both in specs, software and human run aspect of it). It and BGP both scare me as that is how you make the internet disappear for an entire country or region or even worse subvert it. The prepper in me says I should start looking at Namecoin at home in case I need to switch rapidly.

    1. asdf

      Re: DNS scares me

      Forgot to mention yes in this case its only .io but there is sloppy shit like this all over the DNS world (the x509 circle jerk as well). Band aid upon band aid. DNSSEC at least help prevent subversion somewhat but not being able to resolve a good portion of the internet isn't ideal either.

    2. Anonymous Coward
      Anonymous Coward

      Re: DNS scares me

      That is interesting.

  19. OhDearHimAgain

    "Somewhat unusually, .IO TLD decided it wanted to continue to run the .IO name servers, but outsourced the rest of the registry operations to Afilias."


    Afilias bought outright the operator "Internet Computer Bureau Limited" (aka "ICB"), which is also has the alias "IO Top Level Domain Registry", which is the "ccTLD Manager" - i.e. they bought dot-IO and all its control - lock, stock & barrel.

    But they didn't pass it by ICANN - naughty, naughty - A change of ccTLD Manager needs ICANN approval.

    So those poor Chagossians got ripped off to the tune of $70M - as dot-TV will tell you, a good ccTLD can go a long way to fund a traditional island heritage.

    So who did get the $70M ... well checkout who resigned their directorship at about the same time the company changed hands

    And what did the UK Gov know about all this ... they're keeping quiet, but then they just lost at the UN

    What a mess - time to call time on colonialism, eh?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like