DNS hijacking has a few different definitions. I’ll refer to mine as DNS hijacking by negligence. This is when you might have a DNS entry that links to an IP or a hostname that no longer is active (dangling) or has changed, and a hijacker essentially takes it over. It does mean that you may have a subdomain hosted (with your branding / etc), but the content is not yours. This is ultimately caused by you, but a hijacker also does their bit.
In this instance, I had removed a S3 bucket sub.domain.com. I had forgotten that there was a DNS record sub.domain.com with an A record, pointing to sub.domain.com.s3-website-ap-southeast-2.amazonaws.com. Since bucket names are global within AWS, once I deleted it, it was available for anyone else to take the name.
I suspect that there are scrapers out there, crawling all DNS records, and also handling a check to see if the A record is available or not, and if not, it is sold to another party, who promptly registered the S3 bucket, and put a crap website on there.
The way I found out was that I do have my domain.com registered in Google’s Search Console, which is a useful tool to help you trigger recrawls of your sites an well as seeing any SEO errors, but more interestingly, as it was a subdomain, google wanted to let me know that somone with the email colectorakun69@gmail.com (which I’m happy to publically list since there are no google records for it) has been added as an owner of sub.domain.com!
#TLDR
- Ensure you register to Google’s Search Console for your domains
- When removing any public resources (like S3 buckets), go through all DNS records as well to ensure there are no dangling records.