My domain got abused on Github Pages
41 points by lalitm
41 points by lalitm
This case is covered by the GH docs: https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/managing-a-custom-domain-for-your-github-pages-site
We strongly recommend that you do not use wildcard DNS records, such as
*.example.com. These records put you at an immediate risk of domain takeovers, even if you verify the domain. For example, if you verifyexample.comthis prevents someone from usinga.example.combut they could still take overb.a.example.com(which is covered by the wildcard DNS record).
It's crazy to me that they allow this vector at all, warning against it in documentation is not enough. Either have TXT verification or error out if they detect a wildcard record, but don't allow spam so easily!!!
It's weird that they know it's a bad idea, and took time to document how much of a footgun it is, instead of blocking it.
I don't understand how they deal with the case in which two GitHub Pages claim the same domain, and that domain is pointing to GitHub and there us no other info. Who wins?
There's a database table which maps domain to repo. When you push a CNAME file a bunch of machinery kicks in which eventually results in a record being inserted to that table. First repo to claim the domain wins.
Couldn't they require a CNAME from the exact domain to <github-user>.github.io and verify if that matches the user who is claiming the domain?
That wouldn’t work on the apex record, since you cannot use CNAME there
Pretty commonplace to use TXT records for that. Codeberg Pages does it that way. (For now, with the legacy method.. not sure what the plan is for the new git-pages backend.)
Had the same thing happen to me back in September. I migrated all my stuff off of GitHub Pages the same day.