Hacker News new | past | comments | ask | show | jobs | submit login
Someone bought 'Google.com' from Google for one minute (yahoo.com)
390 points by McKittrick on Oct 1, 2015 | hide | past | web | favorite | 94 comments

What would happen if someone actually managed to move google.com to a non-google registrar account under their control? Would someone step in and just seize it back? Can you imagine the magnitude of client devices hitting the wrong server for gmail,android updates,chrome even for a few minutes?

I can imagine that such an attack would be dealt with a mix of manual intervention and technical measures, something in between the Google.com search page outage that happens once in a blue moon, and the false routes for YouTube.com IPs that have been propagated several times during the past few years.

Big companies that rely on Internet presence are quite pro-active, and there are teams of people whose job is to prevent something like this from happening in the first place.

DNS is not a secure protocol, and you can redirect connections intended for google.com from the same local network easily, yet the world still keeps turning.

>there are teams of people whose job is to prevent something like this from happening in the first place.

Reading that along with the rest of this thread reminds me just how bad it is to have so much of the internet rely on large sites like this. The amount of trust and dependency that rests on Google is very dangerous. The amount of damage to the world that could result in a failure of their service is beyond imagination.

On the other hand, it lets them do things like certificate pinning for themselves in their own browser, no? So, good and bad.

Chrome could ship pinned certs for whatever sites they want to cooperate with.

Vertical integration just means that Chrome cooperates more with Google's webadmins than Twitter's.

How exactly would that work. modify an instance of bind and check if the client is requesting to resolve 'google.com'? If true, then respond with the rouge IP? First we must make sure the client machine is set up to use our name servers, the ones we have control over.

You can just set up the zones in e.g. Your local network nameserver to say it's authoritative for google.com then send the traffic to wherever you want. Many companies do this on a large scale on their internal networks for the purpose of having easy-to-use names (that can have the nodes behind them changed out without changing anything else) using, mostly for backward-compatibility or legacy reasons, the same domains / zones that may resolve externally to different RRsets. This is known as split-horizon DNS: https://en.m.wikipedia.org/wiki/Split-horizon_DNS

Never use a rouge IP. They're red for a reason, man.

I'm glad someone else picked up on that! :)

You don't even need to setup the client, if you have control over any number of intermediate routers, you can snag/reroute port 53 tcp/udp traffic any way you like. I tend to setup my home router to do this, so that all open dns traffic goes where I tell it to.

It's also advised to do so for unauthenticated users on shared/public wifi so that you can provide an agreement page/site. Also, so that unauthenticated users can't use DNS as a tunnel method, which is pretty damned cool, but insecure.

Also, so that unauthenticated users can't use DNS as a tunnel method, which is pretty damned cool, but insecure.

You can put TLS into a DNS tunnel too, it's just even slower.

I've done TCP-over-SSH-over-DNS many times (using iodine and sshuttle) and it was actually surprisingly usable! I could get over 200Kbps downstream. Iodine uses NULL requests -if allowed by the recursive DNS server- which can fit 1KB+ per request/reply.

I've set up my laptop to go to my home internal server (old laptop) for DNS. My quality-of-development-environment has increased because I can associate any internal in development app I want with a hostname tied to my internal DNS prefix. Very useful for setting up nginx for multiple applications.

You can do it locally with dnsmasq or using xip.io, without an extra server.

You can do it by listening in promiscuous mode and injecting packets into the network pretending to be the DNS server.

You can also setup a rouge DHCP server that sends a different DNS address.

There are likewise many other methods.

google.com is under a registry lock, nobody can touch it without going through a security song and dance involving the registry (Verisign) and the registrar (MarkMonotor), so it's unlikely to happen.

This looks like because Google's domain selling tool thought he bought the domain, he was authorized for the domain for all the rest of the Google tools, which is scary, but probably not earth shattering. Kind of depends on what you can do in the tools to send people to another site.

If they actually hijacked the domain, they would probably kill their DNS servers, but they could do a lot of things; including likely get some domain control certificates (but likely not from the registrars Google pins to, and a lot of people have google's certificate pins)

It seems highly likely that the tools he gained access to would actually be completely useless for google.com.

That would be like buying the worlds biggest DDOS botnet holy cow.

Come on dude. Google is far bigger than Baidu.

That was not the Baidu attack. This was the piratebay DNS attack. In otherwords, anyone in China with a passing interest in naked ladies.

Google has HSTS so requests will be prematurely terminated, however it'll still be a huge DDoS attack.

Well if you control the domain you can easily get an SSL cert (except some clients might pin the CA for google.com).

IIRC, all Chrome users are pinned for *.google.com

However, chrome will still trust certs issued for Google domains that come from non-Google trusted issuers (things in your local trusted keystore)

It sucks because now your employee can MITM you for gmail/google chat/etc

Certificates are pinned too.

> Can you imagine the magnitude of client devices hitting the wrong server for gmail,android updates,chrome even for a few minutes?

This somehow reminds me about Gamil [0]

[0] - https://en.wikipedia.org/wiki/Gamil_Design#Gmail

This happened before with the German TLD, google.de


DNS takes a few hours to fully propagate, last time I checked.

The propagation "speed" is the effect of clients honoring the records' TTLs. Clients and intermediate servers are responsible for pulling updates to whatever records they believe are stale; the DNS itself just sits there serving queries.

Clients and caches sometimes disregard the TTL or use their own, so sometimes changes to a record "haven't propagated" to some clients, but what's really going on is something that's supposed to keep its info fresh decided not to.

Though it's possible for clients to get out of date, the story of a built-in propagation speed you can't do anything about is based on misconceptions. The record owner has a lot of say in how and when their records get refreshed.

That depends on the expiry time ("Time To Live / TTL") set for the particular record. Minimum TTL is 1s, and maximum is 2e32 -1 seconds, or slightly over 136 years[1].

Resolver libraries and daemons keep cached results in volatile memory, so in practical terms, if a high TTL is set, the spoofed result will continue to be used until the given machine is rebooted. For some middle boxes, this can be years.

[1] RFC 1035 section 2.3.4 https://www.ietf.org/rfc/rfc1035.txt

I think the point is -- if the TTL is set low, most ISPs simply ignore it to a minimum setting of at least a few hours. So changing/pointing a Google hostname to a victim might not have that big an impact if done only for a few minutes.

I have seen ever-lower TTLs in the wild, sub-minute even, in the past few years. Even historically, TTLs have in my experience always been respected.

I think what really tends to happen, and this gets the folks confused, is that the initial TTL is high (say, 3 days), then the sysadmin wants to do some changes, and because they want to be able to keep changing the IP quickly, while they're working on it, they set the TTL low (say, 1 minute). Only you cannot retroactively lower the TTL of the records that have been sent previously, they'll expire whenever during the following 3 days.

Your point still stands, mostly. The probability of the old record with a high TTL to be evicted from a resolver's cache during any given short period of time is low.

Back in the day I remember this was true, but nowadays when I make changes to DNS in USA, the change is nearly instantly reflected over here in the UK, and a matter of minutes for apparent propagation worldwide. It's gotten a lot faster!

I wonder whether Google hard-codes their authoritative nameservers through their consumer recursive DNS

He never actually owned it. This was just a bug in the Google domains control panel. The source of truth (I believe ICANN) would never showed a change of ownership.

Well, the original post talks about him getting Google Webmaster tools for google.com, which while still not "owning" the domain itself, is interesting because it means more happened than just the domain buying app thinking he owned it.

He bought it using googles own domain buying app, Presumably it is connected to the rest of googles stuff and the other way around.

Yeah, I didn't mean the effects spread out of Google's stuff, just spread farther than Google's domain app.

I wonder how common it is to have such a bug? I would have though the type of functions would be bullet proof.

Wouldn't it be better to link to the original post at https://www.linkedin.com/pulse/i-purchased-domain-googlecom-... ?

no, because that one requires registration to read.

I can easily read it, no registration required it seems.

Maybe LinkedIn detected a previous session and therefore wants you to log in?

Do you have the same behavior in a private window?

This link requires login for me even in private window.

I'm pretty sure LinkedIn filters by IP address. A long time ago, I noticed they let me through without logging in if I used my home connection, but made me log in if I were connecting through my VPN.

Note: exact same browser session, minutes apart.

It does not.

nope. linkedin is a company/website I wouldn't touch with a stick.

Apparently this happened in 1999 with Microsoft's Passport.com as well [1], and again later with hotmail.co.uk [2]. While I understand that snafus like this can happen, I don't understand why the new owner would simply hand back the domain for essentially no compensation (especially in the case of hotmail.co.uk - this appeared to be a clean transfer of an expired domain). If they let the domain expire, it's fair game and should go for market price.

[1] http://www.doublewide.net/

[2] http://www.bloomberg.com/apps/news?pid=newsarchive&sid=at_jl...

If a company can reasonably show they own a trademark for a name in a region and should be awarded a domain, registrars will give away the domain. There has been plenty of cases where even old domains were taken away.

You are not awarded a domain name simply because you hold a trademark. There is evidence that domains have been awarded to trademark holders after a UDRP hearing and the trademark holder contested the validity of the registration. Read the UDRP guidelines [0].

There is also the counterpoint of the case of Nissan Motor Co vs. Nissan Computer Corp [1] where Nissan Motors owns the trademarks but have not been granted nissan.com.

[0] https://www.icann.org/resources/pages/policy-2012-02-25-en#4 [1] http://www.internetlibrary.com/cases/lib_case292.cfm

> where Nissan Motors owns the trademarks but have not been granted nissan.com.

Just to clarify, Nissan Computers also holds trademarks but in a difference field of commerce.

Just like Volkswagen and Canon both hold trademarks on Eos.


ICANN has policies in place to preempt ridiculous arguments like this.

Hotmail.co.uk currently has an expiry date of 23-Oct-2015, only three weeks away. I hope they don't forget to renew it this time...

Google.com should be fine until 2020, but I randomly looked up some of their ccTLDs and a lot of them are set to expire in less than a year. Google.co.uk has only four months left.

I wonder why large companies with deep pockets don't just register all of their domains for the maximum duration. There are a few ccTLDs that only allow 1-2 year renewals, but those are few and far between. Most domains can be renewed for 5-10 years at a time.

The oddity of the situation is that the longer you register a domain for, the more likely you are to forget about it's renewal..

However, most big companies use someone like Netnames, MarkMonitor, etc, who simply wouldn't let a domain drop, even if nobody asked them to renew it - instead they'll renew it themselves, keep it active, and simply add it to the next invoice.

Even so, it seems unnecessarily risky for MarkMonitor et al. to renew their customers' domains one year at a time, often at the last minute, instead of keeping a comfortable buffer of two or more years.

I don't understand why the new owner would simply hand back the domain for essentially no compensation


Definitely a bug in Google domains. The real one expires 9/14/2020. https://who.is/whois/google.com/

Yeah, Google only bought the five-year renewal cuz they wanted to save a few bucks in case they change the name later.

Yea, but if Google says you own google.com, how 'unreal' is your claim?

Registrars can say whatever they want, it doesn't mean anything until the domain is properly listed in the TLD's main database, in this case VeriSign.

I remember a Slashdot article back in the 90s about a guy who renewed hotmail.com for Microsoft when they accidentally let it expire. The guy needed to get to his email but couldn't and he quickly discovered the problem and fixed it for them.

You mean the incident they mention in the article that was linked?


Nope. The details don't match not because GP has a bad memory but because it was a separate incident. Don't be a dick.

Ah, maybe it was the passport.com incident that was mentioned in another comment. Fair enough!

It was the same.


My guess is it's just a bug in Google domains, allowing them to 'register' domains that the lookup RPC failed for. Google doesn't act as the registrar for their own domain, so there was never any risk of the ownership actually getting transferred to him.

Honest question. If he bought the domain from Google and the transaction went through, is that not technically a legitimate transaction and "cancelling" and refunding the money is essentially theft?

How is that any different than walking in to someone's house and leaving them $20 for the TV you took? It seems to me that "oops, take-backs" Is not a legitimate enough justification to reverse a transaction under contract law.

It seems rather ominous if even this kind of situation is permitted because it sets a precedent that corporations can simply decide to change their mind when something is not in their favor. Sure, it's an example that many people will simply rationalize or defend, but just on matters of assuring the credibility of the integrity of the whole market based system, Google should not be allowed to simply step away from this as if nothing happened without at least a fine that gets noticed by the executive suite.

How would you feel if in the future mega consolidated food corporation can arbitrarily decide that "oops, we changed our mind. That food you ate and sold to you for $X should have really been charged at $3X. Don't worry, we will charge your account. Have a nice day"

How about a different scenario; the airline industry decides that "oops, someone else was willing to pay more for that last seat on that flight you just booked. We just cancelled it and refunded your money. Have a nice day"

I get that it was probably a mistake of some kind. But what is it that immunizes corporations from the consequences of mistakes? I guess that's kind of rampant right now in our society and economy, but still.

Google Domains is not the registrar for google.com. MarkMonitor is. Your situation is analogous to agreeing to buy a deep-discount TV from someone off Craigslist, who meets up with you in a hotel parking lot, goes inside with you, points you to the TV in the lobby that you just "bought" and says take it. That TV was not for sale and the person "selling" it didn't own it. It's unreasonable to expect MarkMonitor to honor a sale that couldn't happen because some other registrar messed up.

Mistakes can and do happen in business all the time, because businesses are composed of people and people aren't perfect. The solution is to deal with mistakes in whatever is the most sane way.

There are consumer protection laws that protect both consumers and sellers when mistakes are made like in this case (at least here in Québec and Canada, it must be similar in the US).

Let's say you're selling a 10$ gift card on your website but through some bug/error it's now worth 1000$ (an easy mistake to make, just forget the decimal place). What if someone bought the 1000$ worth gift card for the original intended price of 10$? I'm sure you would invalidate that purchase and send them an email explaining that it was a mistake, and it would be perfectly within your rights to do so.

It goes both ways too, if a mistake is made that advantages the seller, they have to fix it.

In Ireland some one managed to redirect google.ie (The irish google search domain):


The ccTLD register (The IEDR) had a vulnerability in their management portal that was exploited (I believe it was an SQL injection if I recall correctly).

The attacker changed the DNS servers to their own and then put an A name record pointing google.ie to their own server.

The server just displayed a hijacked by page.

It was probably just some kid. If it was a criminal they would have done some thing far more malicious.

yahoo.ie also got hijacked.

It was an absolute pain, for months after the IEDR's portal was disabled, you had to call them to make any changes to any .ie domain.


Thank you.

Mods can you please change to the source URL instead? (Not that I'm a fan of linkedin...)


Edit: Here's a mirror for those that happen to have linkedin.com nullrouted in hosts or something: https://archive.is/HKPhn

We didn't do that earlier because it seemed like the current article added more info. Is that wrong?


I just tried opening it in private browsing (not logged in) and I could access the LinkedIn article just fine.

I'm not logged on linkedin and I don't have a problem. I don't even have an account.

Whoa thanks for mention this; I've always been "logged in" to LinkedIn that I never knew you had to be logged in to see their content. That's a shame.

Edit: jschmitz28 is a liar; you can access without being logged in just fine.

> jschmitz28 is a liar

Not cool. Perhaps you meant it humorously, but please don't post things like that here.

It is working for me now. At the time of my post, opening the link incognito redirected to the same page as when you click the "Join today" link in the top right: https://www.linkedin.com/start/join?trk=hb_join

I'm surprised I didn't see this on the morning news and wow what a thrill it must have been.

finally. i like the idea someone can remove my last purchase and manipulate my account.

It wasn't a valid purchase. What would you expect to happen? Google.com, like the Brooklyn Bridge, isn't for sale.

To expand on this, google.com is registered through MarkMonitor, which is a registrar. Google Domains is also a registrar. A registrar cannot sell a domain that is owned, and certainly not one that is owned by a client on another registrar! There was some error on the Google Domains side that indicated a domain was available for purchase that was in fact not available for purchase. That's it. The money was refunded when the error was reported. It's the only possible sane solution to the problem.

Your comment implies that the sale should have gone through anyway, which is nonsensical. Otherwise we could have situations where I steal foo.bar from you (which you have registered with, say, NameCheap) by buying it through, say, GoDaddy, which is currently experiencing a similar bug that incorrectly marks your domain as available.

On the 20.09, I received a totally legit invoice from invoice@google.com (99.99€ Candyclub - Bag of Gems). The sender is invoice@google.com, but no names, no other personal information. I thought it was somewhat strange, and reported it, but no answer.

It's extemely simple to fake the sender of email. That's what probably happened.

I just thought it's strange, becuase gmail usually detects email spoofing.

Sure, but google uses SPF and DKIM. The spam mail would not validate and be marked as spam.

So what? He earned nothing but your carelessly attention.

The article says "He frantically took screenshots along the way and detailed the whole ordeal in a LinkedIn post."

... I find the choice of words funny. If he hadn't bothered to buy a domain he knew he would never be able to keep, there would be no ordeal!!!

This sounds like some kind of PR stunt for google domains.

Why? Wouldn't that be a lousy PR stunt? Domain services are the keepers to your most prized possessions and Google's let someone buy their own domain creating this nebulous set of thoughts to where many might think this allowed the person to control google.com itself.

Its just funny that it was an ex-googler buying google.com from Google Domains. and they happened to state the price ($12) in the ad errrr article. relax people. downvotes? come on.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact