Is it possible for a name server provider to hijack MX records?
Yes, your registrar can hijack not only your
MX records, but your entire DNS.
Not only that - but they can then proceed to intercept mail sent to your domain, get a valid CA-signed SSL certificate for your domain, and host a site for your domain using the trusted SSL certificate. And DNSSEC won't prevent any of this.
One of the primary functions of your registrar is to register the nameservers for your domain. For example, if you do a whois lookup for
stackexchange.com, you'll see that the registrar for
stackexchange.com is eNom, LLC., and that the nameservers for
stackexchange.com are hosted by Google Cloud and Amazon AWS. So, the DNS for
stackexchange.com is handled by Google Cloud and Amazon AWS.
In the example that you gave in your question, cheap-unsecure-domains is the registrar for
yourdomain.example. With cheap-unsecure-domains, you specified Cloudflare's nameservers as nameservers for
yourdomain.example. So, DNS for
yourdomain.example is handled by Cloudflare's nameservers. Then, in Cloudflare's control panel, you setup your DNS records for
yourdomain.example, including your
MX records, etc.
So if cheap-unsecure-domains wanted to intercept your mail - they wouldn't need to hack into your account at Cloudflare to change your DNS records. They would simply change the nameservers for
yourdomain.example to their own, then create MX records for
yourdomain.example in their nameservers to point to their own mail servers. Then, they would start receiving mail sent to your domain.
Interestingly, they could start receiving mail for
yourdomain.example securely using SMTP STARTTLS, without even getting an SSL certificate for
yourdomain.example. They could just use their own certificate. See https://blog.filippo.io/the-sad-state-of-smtp-encryption/.
Now, things get more insidious. They can start receiving mail for
[email protected] (or
[email protected], or any of the other designated approved email addresses used for SSL domain validation). Then, they can request a SSL certificate for
yourdomain.example from a trusted CA, and when the CA sends the verification link to
[email protected], they'll receive it, and the CA will issue the certificate. Now, they can setup an
A record for
www.yourdomain.example, and run a site with a valid certificate for
At this point, you might be wondering - can't this type of attack be prevented using DNSSEC? The answer is no. DNSSEC records are stored in the DNS for the domain. When the registrar changes the nameservers for
yourdomain.example to their own, the DNSSEC records that you created for
yourdomain.example are gone, along with all of the other DNS records that you created. See https://moxie.org/blog/ssl-and-the-future-of-authenticity/ for more info.
In theory it should be possible for cheap-unsecure-domains to hijack our MX records answering them by itself instead of referring to Cloudflare. Is this correct?
Yes it would be possible for them to do this. Although they can't without you noticing. So you can monitor this.
If yes is there any type of protection against this kind of attacks? Except using something like GPG.
Use a reputable domain registrar, not necessarily a cheap one. Monitor your DNS.
"In theory it should be possible for
cheap-unsecure-domainsto hijack our
MXrecords. Is this correct?"
This is correct for a domain registrar company that is not reputable and it's security to be considered lackluster! Good companies offer security services and suites for their customers, but this often comes at a cost, hence there are users who frequent other alternatives like these '
The most common practices to thwart such attacks (hijacking/social engineering/identity theft) would be,
- The standard good ol' cyber hygiene (strong passwords, two-factor authentication (2FA) on your 'domain control panel' and your domain owner email account)
- Avoid unreputable domain hosts providers (a good percentage of hijacking comes from exploiting a vulnerability in the domain name registrar's system)
- Keep your domain details and contact information up-to-date, and set notifications if changes are made (more of a recovery practice).
You've mentioned using Cloudflare as your control panel. They do offer a suite of security services at your disposal. Their DNSSEC might be suited for you.