Sacrificial Lambs of the Internet: DNS Hijacking via EPP Loopholes

DNS is the fundamental address book of the internet, responsible for converting human-readable domain names into IP addresses. When users navigate to a site like Google, they trust that the underlying resolution process is secure. However, in a recent talk at VULNCON 2025 titled "Sacrificial Lambs of the Internet," security researcher Devansh Batham(Team Lead, Technical Services at HackerOne), with strong expertise in vulnerability research, responsible disclosure and security operations. He works closely with researchers and organizations to identify and remediate high-impact security issues, with a focus on strengthening internet and DNS infrastructure. He unveiled a systemic vulnerability rooted in the legacy architecture of the internet itself.This research exposes how an obscure loophole in the Extensible Provisioning Protocol (EPP) has historically rendered millions of domains—including giants like TikTok—susceptible to immediate hijacking.

The Anomaly: Patterns in the Noise

The investigation began with a routine bug hunt where Batham observed a target domain returning a SERVFAIL error code. While a SERVFAIL usually indicates a generic failure, a deeper inspection using dig +trace revealed a specific anomaly: the domain’s Name Servers (NS) were returning NXDOMAIN, meaning the name servers themselves did not exist,.Crucially, these non-existent name servers followed a programmatic pattern: drop-this-host-[UUID]-[random-string].biz. This naming convention was too specific to be a manual error. By analyzing ICANN zone files across 500+ Top-Level Domains (TLDs) and utilizing LLMs to detect patterns in billions of rows of data, the research uncovered a massive scale of exposure: initially, 25,000 domains across 600 companies were pointing to similar "disposable" name server patterns

The Root Cause: The "Dependent Object" Trap

To understand why these strange name servers exist, one must look at the relationship between Registries (who manage TLDs like .com) and Registrars (who sell domains like Namecheap). They communicate using the Extensible Provisioning Protocol (EPP), an XML-based standard. According to RFC 5731, a domain cannot be deleted if "subordinate objects" are associated with it. This triggers Error 2305: Dependent object exists.

The Deadlock Scenario:

1. Alpha.com acts as a name server for Beta.com (ns1.alpha.com)
2. Alpha.com expires and needs to be deleted.
3. The Registry blocks the deletion because removing Alpha.com would break Beta.com.

The Flawed Fix: To bypass this error and clear their inventory, Registrars automate a "rename" process. They rename the dependent name server (ns1.alpha.com) to a random string (e.g., random-string.biz) to break the dependency and allow the deletion of the parent domain.

The Vulnerability: The critical failure occurs because Registrars often rename these servers to domains that do not exist and are available for public purchase.

• The Registrar changes Beta.com's name server to random-string.biz.
• Beta.com is now orphaned.
• An attacker scans for this pattern, registers random-string.biz, and immediately gains control over Beta.com's traffic.

Batham termed these "Sacrificial Name Servers" because Registrars create them solely to sacrifice them for the deletion of another domain.

The 1.6 Million Domain Exposure

The research highlighted a catastrophic historical precedent involving TikTok and Namecheap. On July 25, 2016, a massive deletion event occurred involving registrarservers.com, a default name server used by Namecheap.An automation script, designed to handle the EPP dependency error, renamed the name servers for 1.6 million domains to random strings ending in .info or .biz—all of which were available for purchase,.

• The Impact: For a period of time, 1.6 million domains were vulnerable to hijacking.
• TikTok: TikTok.com was among the victims, its name servers pointed to purchasable domains.
• Persistence: As of 2025, 49 of those domains remain vulnerable, still pointing to the name servers generated during the 2016 incident.

The Zombie Threat Today

While some Registrars have patched this specific flaw, the issue remains pervasive. Batham's internet-wide scanning identified approximately 200,000 domains currently vulnerable to this attack vector.

Malicious actors are actively exploiting this "zombie" infrastructure. The research found evidence of betting and casino operators identifying vulnerable domains with strong SEO histories, hijacking the sacrificial name server, and repurposing the domains for gambling sites.

Remediation: Closing the Loophole

This vulnerability is a supply-chain issue inherent to the automation practices of Registrars.

For Registrars: The primary fix is to stop renaming dependent objects to unregistered TLDs. When handling Error 2305, Registrars must ensure the new name server is a subdomain of a domain they strictly control.

For Domain Owners: Because this happens at the Registrar level, domain owners are often unaware their assets have been compromised. Batham advises running cron jobs to dig domains. If a domain returns SERVFAIL while its name servers return NXDOMAIN, it requires immediate investigation to prevent an account takeover.

Conclusion