The Danger of Wildcard DNS: How a GitHub Pages Site Was Hijacked
Imagine returning from a trip to find that your professional domain is hosting several Indonesian online gambling sites and slot machine scams. This is exactly what happened to developer rmeertens, who discovered that their domain, immersivepoints.com, had been abused by third parties using GitHub Pages.
This incident serves as a critical case study in the intersection of DNS configuration and platform-level domain verification, illustrating how a simple convenience—the wildcard DNS record—can open a massive security hole.
The Anatomy of the Attack
The author used GitHub Pages to host a 3D and VR point cloud visualizer. To make setup easy, they configured their DNS records with a wildcard (*.immersivepoints.com) pointing to GitHub's servers. The intention was to ensure that any subdomain (like www) would automatically resolve to their GitHub Pages site.
However, the author discovered a fundamental flaw in how GitHub Pages handles custom domains: GitHub resolves any domain that points to its servers as long as there is a repository containing a CNAME file matching that domain.
Because the author had a wildcard DNS record, any request for any subdomain of immersivepoints.com was routed to GitHub. An attacker simply had to create a private GitHub repository and add a CNAME file for a subdomain like kafka.immersivepoints.com or hd.immersivepoints.com. GitHub's load balancer saw the request, matched it to the attacker's repository, and served the attacker's content under the author's domain.
The Impact: SEO Poisoning and Scams
The abuse was discovered via Google Search Console alerts notifying the author that new owners had been verified for various subdomains. Upon investigation, the author found that these subdomains were ranking in search results, sometimes even outranking the legitimate site.
As the author noted:
I hope nobody fell victim to the undoubtedly shitty slot machine scam sites which were hosted on my domain.
This is a classic example of "subdomain takeover," where an attacker leverages a dangling DNS record or a permissive configuration to host malicious content, damaging the domain's reputation and potentially tricking users into visiting phishing or scam sites.
The Debate: Who is at Fault?
The incident sparked a significant discussion on Hacker News, with opinions split between the user's configuration error and the platform's lack of safeguards.
The "User Error" Perspective
Several commenters argued that the responsibility lies entirely with the domain owner. Pointing a wildcard record to a third-party platform is, by definition, handing over control of any unassigned subdomain to that platform.
You told your NS to forward any request to GitHub, a platform you don't own. I think this is the expected outcome.
The "Platform Responsibility" Perspective
Others argued that GitHub should implement stricter verification. If a user attempts to claim a domain that is already being used by another GitHub user, or if the domain is pointed to GitHub's IPs without a verified ownership record, the platform should block the association.
One suggested solution was the mandatory use of TXT records for domain verification, a common practice used by Google Search Console and other major cloud providers to ensure the requester actually controls the DNS settings.
How to Prevent Domain Hijacking
To avoid falling victim to this type of abuse, developers and site owners should follow these best practices:
1. Avoid Wildcard DNS for Third-Party Hosting
Never use a wildcard (*) record to point your domain to a service like GitHub Pages, Netlify, or Vercel unless you have a specific reason to do so and understand the risks. Explicitly define every subdomain you intend to use (e.g., www, blog, app).
2. Use Domain Verification
GitHub now offers a feature to verify custom domains. This allows you to prove ownership of the domain via a DNS TXT record, preventing other GitHub users from claiming your domain or its subdomains. This setting is located in the account settings rather than the individual repository settings, which can make it easy to overlook.
3. Monitor Your Domain
Using tools like Google Search Console can provide early warning signs of unauthorized changes or new "owners" claiming your subdomains. Regularly auditing your DNS records and search engine indexing can help identify takeovers before they cause significant damage.
Final Thoughts
This incident highlights a recurring theme in modern web infrastructure: the gap between "ease of use" and "security by default." While wildcard DNS is convenient, it creates a vulnerability that can be exploited by anyone with a GitHub account. By moving toward explicit verification and avoiding permissive DNS records, developers can protect their digital identity from becoming a host for the next wave of slot machine scams.