Stop someone pointing cname to domain

[baldidiot]

This is a weird one, we've just noticed that someone has been pointing a domain at one of our sites for the last four years. It looks like they're just doing it via a cname on cloudflare pointed to the domain, rather than pointing to the server (as we only allow access via the main domain, plus we changed server IP at one point).

I'm not really sure what their game is, or if it's just a mistake, but either way I'd like to stop them doing it.

I've tried to use htaccess to restrict access via anything other than the main domain, but that doesn't seem to do anything.

Any suggestions?

 

[username]

Is it the case that your website loads and their domain stays in the URL bar, instead of yours?

 

[baldidiot]

Is it the case that your website loads and their domain stays in the URL bar, instead of yours?

Yes exactly.

 

[username]

It sounds like you're on the right track, you need to set your server to reject requests from a HOST that does not match your domain... the .htaccess file like you said.

As a rule your server shouldn't return a response for any hostname other than the expected one(s) rather than blocking a particular one that you don't want.

Generally a CNAME redirect doesn't work to random sites in modern browsers like Chrome for websites, because the HTTPS certificate isn't valid for the domain you're loading so the page won't load. Is your site using HTTP instead of HTTPS and an SSL cert?

What did you put in your .htaccess file?

 

[username]

RewriteEngine On
RewriteCond %{HTTP_HOST} !^(yourdomain\.com|www\.yourdomain\.com)$ [NC]
RewriteRule ^ - [F]

The above seems sensible from what I've seen from examples online and then shoving it in chatgpt. Returns forbidden if the HOST header doesn't match.

Personally I haven't used apache for years, I just use an AWS listener rules on their ALB, but it's the same thing in practice, your server must examine the incoming host header and decide whether to return your site or not.

I realise that you said you had done this, but it taking no effect is bound to be cause of incorrect configuration other than it just having no effect when it is correct.

 

[baldidiot]

Generally a CNAME redirect doesn't work to random sites in modern browsers like Chrome for websites, because the HTTPS certificate isn't valid for the domain you're loading so the page won't load. Is your site using HTTP instead of HTTPS and an SSL cert?

Yeah out site site uses https. The other domain (the one pointing to our site that shouldn't) uses cloudflare so I'm guessing that's where their SSL cert comes from.

Because they use cloudflare I'm largely guessing that they're using a cname to do it, I don't know for sure that's what they're doing. So maybe there are other methods?

RewriteEngine On
RewriteCond %{HTTP_HOST} !^(yourdomain\.com|www\.yourdomain\.com)$ [NC]
RewriteRule ^ - [F]
The above seems sensible from what I've seen from examples online and then shoving it in chatgpt. Returns forbidden if the HOST header doesn't match.

Thanks - yes it's similar to what I've tried before. I've just tried it again and no luck.

 

[username]

Yeah out site site uses https. The other domain (the one pointing to our site that shouldn't) uses cloudflare so I'm guessing that's where their SSL cert comes from.




Thanks - yes it's similar to what I've tried before. I've just tried it again and no luck.

Ok, so they must be proxying the response through cloudflare or other server, not just a straight CNAME, in order for their certificate to be presented in the final response back to the browser instead of yours. If it was a straight CNAME without proxying, then your certificate would be returned, because it would be the response from your server and there would be a mismatch and it wouldn't load.

Even with proxying, I doubt that they have gone through the effort of overriding the host header in the request to your server. To do this, they would have to have set up a Cloudflare worker or some infrastructure between their domain and your site, which is a lot of effort just to show your site as theirs...?

If they have overridden the host name, then I'd fall back on detecting the host name in JS on load and redirect the user somewhere else if it doesn't match. This is at least a nuisance to the person redirecting their domain to your site.

 

[baldidiot]

Even with proxying, I doubt that they have gone through the effort of overriding the host header in the request to your server. To do this, they would have to have set up a Cloudflare worker or some infrastructure between their domain and your site, which is a lot of effort just to show your site as theirs...?

Yeah I don't really even know what they're trying to get out of it. It raises some red flags, especially if they're having to go through additional hoops to do it.

If they have overridden the host name, then I'd fall back on detecting the host name in JS on load and redirect the user somewhere else if it doesn't match. This is at least a nuisance to the person redirecting their domain to your site.

Thanks, that's not a bad idea. It's not an ideal solution, but at least it might throw some kind of spanner in the works of whatever it is they're up to.

 

[username]

Another thought, are you using cloudflare? They have a public list of CIDR blocks that their requests will come from, if not then you can add those IP ranges to be blocked by your server. https://www.cloudflare.com/ips/

ALSO, If you are using cloudflare, I believe there is a thing where you can establish a trust relationship between you and cloudflare. This ensures that every request that comes from cloudflare is verified as yours and not someone elses. https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/

Sounds like you're suffering from this:



Which is what is mentioned on the mTLS page on the cloudflare site or you can enable "Authenticated origin pulls". I'm not sure what the differences are:

Authenticated Origin Pulls (mTLS) · Cloudflare SSL/TLS docs

Authenticated Origin Pulls helps ensure requests to your origin server come from the Cloudflare network.

developers.cloudflare.com

Sorry I'm kind've firing out things as I learn them. I knew these things existed but haven't used them before, I might do it just for security of my own sites now so that I know more about them.

 

[baldidiot]

Yeah we're using cloudlfare as well so can't block the IPs.

Thanks for the other suggestions though, I'll have a look at those now!

 

[username]

Good luck . The mPLS thing sounds like a pretty standard practice. The only risk I see is that the certificate will have to have an expiry and could prevent your site from working if you're not careful and let it lapse.

 

[baldidiot]

Looks like I have a bit of reading up to do

Thanks for the help, very much appreciated!

 

[username]

Me again ... an alternative and quicker approach might be just to report them to Cloudflare and say they are fraudulently presenting your site under an un-authorised domain name as if it is their own and they'll probably sort it out. They're normally pretty good at sorting out abuse on their network.

Reporting abuse - Cloudflare

Learn how to report abuse to Cloudflare, how to categorize the abuse you report, what information to include in your report, how to report anonymously, and more.

www.cloudflare.com

 

[Hook]

They could be using cloudlfare proxy to do it, try:
curl -I https://their-domain.com

See if CF is in the header. It sounds like a reverse proxy type exploit.

Also check your server logs:
grep "Host:" /var/log/apache2/access.log | sort | uniq -c

Might give you a better idea.

Are you using a cache? Some times Host headers can be spoofed for your cache also. Redis, CF etc, you need to clear them all.

Check this:
dig their-domain.com +short

If it shows that their domain in resolving to your IP address, it is a DNS issue.

Can I ask, are you using a raw LAMP server? What does your vHost look like? Would give us a better idea if you have an example, you could have a wildcard in there which they are abusing.

Either way, you need to fix the header requests, then check Cache, DNS and vHost.

 

[baldidiot]

I'm not going to lie, some of that has gone completely above my head. But that is how you learn, right? (panic because something has broken and then read up on everything to do with it).

Can I ask, are you using a raw LAMP server? What does your vHost look like? Would give us a better idea if you have an example, you could have a wildcard in there which they are abusing.

We're using the cloudways platform to run a digital ocean server. Pretty much as they set it up, we haven't mucked around with it.

No wildcard, just the main www/non-www and a staging sub domain.

 

[Hook]

They could be using Cloudways also as a reverse proxy, and using their URL in the browser and forwarding all traffic to your domain.

If you send your URL over DM, I'll check it for you.

If they are causing you acute issues, you could even use this JS to block it rendering

<script>
if (window.location.hostname !== "their-domain.com") {
document.documentElement.innerHTML = "";
document.title = "Stop Using My Content";
}
</script>

 

[username]

If my theory is right and they're using a cloud flare worker to make the request and spoof the hostname to requests to your server, it will contain a header CF-Worker:

Cloudflare HTTP headers · Cloudflare Fundamentals docs

Cloudflare passes all HTTP request headers to your origin web server and adds additional headers as specified below.

developers.cloudflare.com

If you're not using cloudflare workers to make requests to your site, you could safely block any requests in your ht access for any requests that contains the header CF-Worker.

It's based on my theory that they're going beyond just a CNAME/proxies CNAME.

 

[baldidiot]

If my theory is right and they're using a cloud flare worker to make the request and spoof the hostname to requests to your server, it will contain a header CF-Worker:

Yeah something weird looks like it's going on I just went to visit a made up page on the domain that's leeching off our site and it gave a different 404 page to ours. So maybe it's not just a simple cname.

Also checking the logs for that url, it had the referrer as "https://www.google.com/"

 

[username]

Yeah something weird looks like it's going on I just went to visit a made up page on the domain that's leeching off our site and it gave a different 404 page to ours. So maybe it's not just a simple cname.

Also checking the logs for that url, it had the referrer as "https://www.google.com/"

Any useful headers that you can use to identify the requests?

 

[astutiumRob]

via a cname

Doesn't sound like a CNAME

What are the results of
dig +trace (thedomain) ?