At NS1 Connect, we are continuously strengthening our defenses to ensure your digital presence remains secure. Today, we are announcing a significant enhancement to our lame delegation hijacking prevention capabilities.
While we have not had any reported issues in this area, we are committed to staying ahead of any potential evolving threats. A presentation at OARC 44, confirmed for us that lame delegations can be an overlooked vulnerability – one that attackers can exploit as a backdoor into your infrastructure. We have taken that learning to further upgrade our proactive protections.
What is a Lame Delegation?
A lame delegation occurs when a domain is pointed to a DNS provider (like NS1) at the registry level, but the corresponding zone is not actually configured on that provider’s platform. These gaps can arise due to misconfiguration, incomplete migrations, or expired services, leaving domains vulnerable to exploitation.
Lame delegations aren’t just a technical oversight – they are a security liability. It creates a gap that malicious actors can exploit in what is known as lame delegation hijacking.
If a domain is delegated but not managed, a bad actor could swoop in and register that unclaimed zone, this would allow them to:
All without the domain owner’s knowledge – putting users, data and your reputation at risk.
How NS1 Connect Protects You
NS1 Connect takes a proactive approach to lame delegation risk. We have deployed sophisticated, automated systems that regularly scan top-level domain (TLD) zones to identify domains delegated to NS1 but not configured on our platform.
When our system detects such a case, our support team creates a placeholder zone – effectively sealing off the opportunity for hijackers to exploit the gap. This proactive approach ensures that your domains remain secure—even if a configuration oversight occurs.
What is New in this Release?
We have expanded our detection and protection coverage. Previously, our scanning focused on generic TLDs (gTLDs) like .com, .org and .net. We have extended our scanning to now include over 20 TLDs and a much broader range of country-code TLDs (ccTLDs), offering more comprehensive global protection.
Just some of the newly covered ccTLDs include:
-
.co.uk
-
.uk
-
.se
-
.pr
-
.ve
-
.cd
-
and many more.
Whether your domain ends in .com or .za, NS1 Connect is on guard – so you don’t have to be.
Learn more about how NS1 Connect protects lame delegation hijacking: