{"id":50382,"date":"2021-11-25T08:24:52","date_gmt":"2021-11-25T07:24:52","guid":{"rendered":"https:\/\/www.digitalbusiness.africa\/how-i-hijacked-the-top-level-domain-of-a-sovereign-state-expert-opinion\/"},"modified":"2026-03-01T15:04:31","modified_gmt":"2026-03-01T14:04:31","slug":"how-i-hijacked-the-top-level-domain-of-a-sovereign-state-expert-opinion","status":"publish","type":"post","link":"https:\/\/www.digitalbusiness.africa\/en\/how-i-hijacked-the-top-level-domain-of-a-sovereign-state-expert-opinion\/","title":{"rendered":"How I hijacked the top-level domain of a sovereign state [Expert Opinion*]"},"content":{"rendered":"

[Digital Business Africa] –<\/strong><\/p>\n

Digital Business Africa brings you the testimony of Fredrik N. Almroth, ethical hacker and promoter of Detectify, who in 2020 acquired the domain name used in NS delegations for the Democratic Republic of Congo ccTLD (.cd). He then temporarily took control of 50% of all DNS traffic for websites using .cd and could have exploited it for malicious purposes and other abuses. His testimony as published on his website:<\/p>\n

Note: This issue has been resolved and the .cd ccTLD no longer sends NS delegations to the compromised domain.<\/em><\/p>\n

TL;DR: Imagine what could happen if the country-code top-level domain (ccTLD) of a sovereign state fell into the wrong hands. Here\u2019s how I (@Almroot<\/a>) bought the domain name used in the NS delegations for the ccTLD of the Democratic Republic of Congo (.cd) and temporarily took over 50% of all DNS traffic for the TLD that could have been exploited for MITM or other abuse.<\/strong><\/p>\n

\"dns<\/p>\n

Background<\/h2>\n

\u2018Twas the week before Christmas 2020 and I decided to run an analysis of all NS records used by all the TLDs globally. However one thing caught my attention. The domain name \u201cscpt-network.com\u201d had the EPP status code \u201credemptionPeriod\u201d, which meant that someone had failed to renew their domain (pay their invoice?) in time.<\/p>\n

This is quite problematic as the name servers managing .cd<\/code> are the following:<\/p>\n

almroot@x:~$ dig NS +trace cd | grep \"cd.\"\r\ncd.\t\t\t172800\tIN\tNS\tns-root-5.scpt-network.com.\r\ncd.\t\t\t172800\tIN\tNS\tigubu.saix.net.\r\ncd.\t\t\t172800\tIN\tNS\tsangoma.saix.net.\r\ncd.\t\t\t172800\tIN\tNS\tns-root-2.scpt-network.com.\r\ncd.\t\t\t172800\tIN\tNS\tsabela.saix.net.\r\ncd.\t\t\t172800\tIN\tNS\tns-root-1.scpt-network.com.\r\n<\/pre>\n
So I figured I might as well make a bash script to ping me of any EPP status change of the domain.<\/p>\n
To my surprise, about a week or so later, I got a ping that the domain had reached status \u201cpendingDelete\u201d.<\/p>\n
I realized the severity of this.<\/strong> The domain name would soon be available for purchase by anyone on the Internet, meaning that the person who gets hold of that domain name would also get the NS capabilities of .cd<\/code>.<\/p>\n
I modified the script, and started probing the registrar on a minute basis for any further status changes.<\/p>\n
On the evening of December 30, I got a ping. I opened my laptop and purchased the domain name to keep it from falling into the wrong hands.<\/strong><\/p>\n
\"scpt-network.com<\/p>\n
As the three remaining delegations pointing to SAIX (the South African Internet eXchange<\/a>) were still working, the TLD remained operable throughout this time (albeit with a slight performance impact on any domain lookups).<\/p>\n
Since I owned scpt-network.com<\/code>, I could configure any subdomain under the zone at will. If I created a new subdomain (like ns-root-1<\/code>) with an A-pointer to IP 1.3.3.7<\/code>, then 1.3.3.7<\/code> would get legitimate incoming DNS queries meant for .cd<\/code>. Any DNS response to those queries would be accepted by the caller<\/strong>.<\/p>\n
\"cd<\/p>\n
To not reply would cause the caller to reach a timeout, and the status code SERVFAIL would be assumed. This is good as a SERVFAIL will force the caller to try reaching any other name server (NS record) for the zone (.cd<\/code>). That is, the caller would eventually hit one of the legitimate SAIX records and be routed appropriately to the correct destination.<\/p>\n
Potential impact<\/h2>\n
Hijacking the country-code top-level domain of a sovereign state has serious negative implications, especially if the domain were to fall into the hands of cybercriminals or a foreign adversary. The Democratic Republic of Congo (DRC) is not a small country. There are roughly 90 million people<\/a>, not to mention many international companies and organizations operating with a .cd<\/code> website.<\/p>\n
DNS hijacking involving the TLD of an entire country is rare but not unheard of. For example, the ccTLD of the former Soviet Union (.su)<\/a> has been hijacked by cybercriminals in the past, and the Lenovo and Google websites for Vietnam (.vn)<\/a> also fell prey to DNS hijacking in 2015. Redirecting DNS traffic from legitimate .cd<\/code> websites to a phishing site is one clear potential for abuse, but there\u2019s more.<\/p>\n
If I had operated with malicious intent, I could have also:<\/p>\n