Monthly Archives: August 2016

Proximus DNS management or the absolute lack of security

All of our clients have their own hostnames.
Usually, when they request a new domain name, we ask them to use an OVH account, buy the domain name with it, and assign us technical management rights to our own account. That way, we have the ability to manage it but the client retains the ownership of the domain name.

However, in some cases our clients have used Proximus (formerly Belgacom, Belgium main internet provider) as a registrar and the DNS is managed by Proximus.

When we want to make a change to the DNS configuration of one of the domain name hosted by Proximus, this is the procedure that has to be followed:

  • send an email detailing changes to dnsmaster@belgacom.be

That’s all.
Usually less than an hour after the request, you receive an email stating that the change request has been realized.

Proximus

What this means, is that ANYONE can send an email to Proximus asking for pretty much any change to be done to any of the DNS they host, and Proximus will do it, no questions asked, no authentication required.
There is not even an email sent to the registered owner of the domain to confirm that a change has been made.

That means it would be trivial to MITM all email traffic from a rival company whose DNS is hosted by Proximus (how often do you think small companies check their MX record for change?)

It would also be trivial to hijack ownership of the domain name: you redirect all emails of the domain to a mail server you own, request a transfer, validate the transfer request since you have access to the owner’s email, and in very little time you could be the owner of the domain.

 

There is a shocking absence of even the most elementary security in Proximus handling of DNS changes.