Another domain is using our web app's IP address. How to prevent it?

Our web application is being mimicked by another domain ...

The domain in question is configured to resolve to the same IP address as yours. That's why it looks like they mimic you when in fact it is simply the same physical server, only accessed by another name.

But when using the URL from your question one gets a security warning in the browser: the certificate is for which does not match the name in the URL Since this warning will scare away most visitors I doubt that this is an attack but believe that it is simply a misconfiguration for

How can we prevent it?

You have no control what others configure for their domain. This includes misconfigurations where they accidentally configure the wrong IP address for their site in DNS. This includes also that they don't update their records if they no longer use a domain which means it might point to IP addresses which are used by others in the mean time. Anybody could configure their domain to point to an arbitrary IP address (including yours), both deliberately and by accident.

But what you can do is refuse access to your site or show an error when the domain name in the TLS handshake (i.e. HTTPS-URL's) or the HTTP Host header do not match your site. How this is done depends on the specific server implementation you have. See for example How can I block requests with the wrong Host header set?. And even if you don't care about such misconfigurations, enforcing the correct Host header is still recommended since it prevents some attacks like DNS rebinding.

Is your site If so, you aren't being mimicked, they just entered the IP address of your server in the DNS entry for their domain name. As a result, is hitting your web server. Since it's your server, it responds with your content (or web app, or whatever).

But since it's your server, you can also control how it responds. The first option that occurs to me is to create a name-based virtual host on your server under the name, and have it:

  • Redidrect to your regular site.
  • Display a warning that the administrators of have messed up their DNS records.
  • Whatever else you want to do.

Has not someone on your team registered your IP address in a FreeDNS name before using the current DNS name for development or getting in remotely? It does not seem foul play.

I would investigate that, and if someone knows the old FreeDNS account,login in there and delete the entry. You might also probably might be able to gain access to the FreeDNS account in question using a file on your site. Talk with their support. Barring that, the entry will eventually expire.

As for your web server, well it is your web server: you can always define virtual host names in your webserver, and either redirect the domain in question to your name, and/or define a virtual host with the legitimate name and open only the site when the proper domain is being used.