Preventing domain hijacks on Pantheon
Domain name service (DNS) records directed at Pantheon can be vulnerable to a phenomenon called "domain hijacking," in which a malicious actor searches for "orphaned" DNS records pointing to an existing service. The attacker then signs up for that service and uses the vulnerable domain to host a malicious site.
These situations most commonly manifest as a spam or advertising site with a valid utexas.edu domain name, often in a foreign language.
Common scenarios for domain hijacks
The most common scenarios that lead to domain hijacks on Pantheon are:
- An existing website is moved from a different hosting platform (such as UT Web) to Pantheon, but the www-prefixed version of the domain using a CNAME DNS record is not explicitly added to the Pantheon dashboard. This leaves the www-prefixed version of the domain vulnerable to hijack.
- A Pantheon-hosted website is permanently retired, and the DNS records associated with the website are not deleted. This leaves any DNS records that were previously associated with the retired site vulnerable to hijack.
- A secondary or "legacy" domain that was redirecting to the new primary domain for a Pantheon site is removed from the Pantheon site dashboard, but the DNS records associated with that domain are not deleted. This leaves any DNS records that were previously associated with this domain vulnerable to hijack.
Preventing domain hijacks
Domain hijack can easily be prevented through practicing good DNS "hygiene":
- When retiring a site from Pantheon, review the DNS records for all domains associated with that site and ensure that they are either deleted or updated to point to a new destination.
- When migrating a site from another hosting platform to Pantheon, review all domains previously associated with the origin site and ensure that they are all added to the "domains" tab of the LIVE environment on the new Pantheon site dashboard.
- Pay special attention to secondary domains that may be using CNAME records, such as the www-prefixed version of the primary domain, or previous/legacy domains for the same site. Domains using CNAME records to point to the primary domain will automatically start resolving to Pantheon once the primary domain is moved and will be vulnerable to domain hijack unless they are also explicitly added to the site dashboard.
- When moving a site from one Pantheon site dashboard to another, ensure that all domains that were in place on the original dashboard are moved to the new dashboard before removing the paid site plan from the original dashboard.
- When discontinuing use of a domain due to site retirement or retirement of a legacy domain, delete all DNS records associated with that domain.
These best practices apply to both utexas.edu domains with DNS hosted in Infoblox, as well as to non-utexas domains that may use a commercial domain registrar's DNS system.
What to do in case of a domain hijack
Please report any suspected domain hijacks immediately to email@example.com. ITS staff will work with Pantheon's security team to have the malicious site disabled and the hijacked domain either "parked" on a secure site or moved to the correct site.
Domain hijacks can also be reported to Pantheon directly through the "Support" tab on a site dashboard or by emailing firstname.lastname@example.org.