Featuring DNS disasters, sausage-fingered sysadmins, and one deeply unimpressed wife.

TL;DR: find mis-typed nameservers that don’t resolve and could be registered; pipe domains into nsfckup and review flagged ones.

cat domains.txt | nsfckup -c 50 -v

Use it: https://github.com/cybercdh/nsfckup

I did not set out to accidentally gain partial control of a company’s internet. I was supposed to be watching a wholesome TV show about animated dogs learning emotional resilience. Instead I was in my terminal, aggressively ignoring my family and running nsfckup — a DNS recon tool whose name tells you everything about its vibe and nothing about its legal department.

“Are you still doing that DNS thingy?” my wife asked from the living room, in the tone people reserve for toddlers who have found permanent marker.

“It’s called nsfckup,” I said, like a man who believes brand awareness is a love language.

She went back to her show. I went back to my crimes against free time.

Here’s the setup. Imagine the postal system. Your domain is a city. Nameservers are the big sorting offices. If you tell the world “Send all my post to Sorting Office Alpha,” but you accidentally write “Sorting Office Alhpa,” then the lorries dutifully drive to an empty lot. That’s not a delay. That’s a swap-the-keys-under-the-doormat-level problem.

Enter Dave. Dave Types-Fast. Dave is fictional (to protect the innocent) and also real (because we’ve all been Dave). Somewhere in Dave’s DNS, these went in:

ns1.awseomehosting.com
ns2.awesomehosting.com
ns3.awesomehosting.com
ns4.awesomehosting.com

To the human eye, “awseome” is an endearing quirk. To DNS it’s a hard nope. DNS is a bouncer with a clipboard from 2001: “If your name’s not down exactly, you’re not coming in.”

I pointed nsfckup at Dave’s domain. Under the hood, the tool traces like a caffeinated dig +trace, collects the authority section, and sanity-checks each NS target to see if it resolves to anything that resembles a living, breathing nameserver.

Go-ish, simplified:

// walk the chain and examine the authority section near the apex
rsps, _ := dig.Trace(domain)
for i, rsp := range rsps {
    if i != len(rsps)-2 { // second-to-last: where NS answers live
        continue
    }
    for _, rr := range rsp.Msg.Ns {
        if rr.Header().Rrtype != dns.TypeNS {
            continue
        }
        ns := strings.TrimSuffix(rr.(*dns.NS).Ns, ".")
        // Does the NS itself resolve? If not, danger.
        if _, err := net.LookupHost(ns); err != nil {
            report(domain, ns, "ns-target-unresolvable")
        }
    }
}

The trace on Dave’s world produced a chef’s kiss of sadness:

$ dig NS precisioncopywriters.com +trace @1.1.1.1
; <<>> DiG 9.10 <<>> NS precisioncopywriters.com +trace @1.1.1.1
;; AUTHORITY SECTION:
precisioncopywriters.com. 172800 IN NS ns1.awseomehosting.com.
precisioncopywriters.com. 172800 IN NS ns2.awesomehosting.com.
precisioncopywriters.com. 172800 IN NS ns3.awesomehosting.com.
precisioncopywriters.com. 172800 IN NS ns4.awesomehosting.com.

;; WARNING: couldn't get address for 'ns1.awseomehosting.com': not found

At this point the only responsible thing to do was check whether “awseomehosting.com” existed or was one impulse-purchase away from a life choice.

Two quick checks, the belt-and-braces way:

# 1) If the zone exists, it’ll usually answer something
dig +short awseomehosting.com A awseomehosting.com AAAA || echo "no records"

# 2) WhoIs often betrays availability (TLD-dependent wording!)
whois awseomehosting.com | egrep -i "no match|not found|available" || true

Result: the domain was as real as my gym membership. Which is how I, a grown adult with both children and a budget, found myself registering a typo on a Thursday night.

“Why did you spend £9.99 on ‘awseomehosting.com’?” asked my wife.

“To save the internet,” I said. “And also because it was funny.”

Registering the typo didn’t just give me bragging rights; it gave me authority. Any zone whose NS included my shiny new mistake would happily ask me for directions. Web, email, TXT—if it delegated via the bad NS, I could answer. That’s not a theoretical, that’s a “please don’t explain a subpoena at dinner” scenario.

I emailed Dave. He fixed it in minutes. Somewhere a coffee was spilt, a registrar password was reset, and a junior was told, kindly, to stop mashing the keyboard like it owes them money.

Avoid being Dave? Here’s the fast lane.

The human-with-a-shell approach:

# enumerate NS targets, de-dot them, and see if they resolve
domain=example.com
dig NS "$domain" +short | sed 's/\.$//' | while read ns; do
  printf "%-40s -> " "$ns"
  if ! dig +short "$ns" A "$ns" AAAA | head -1 | grep -qE '.'; then
    echo "UNRESOLVABLE (potentially registrable or dead)"
  else
    echo "ok"
  fi
done

The slightly-more-serious recon pipeline:

# feed domains, run concurrently, flag likely takeovers
cat domains.txt \
| xargs -n1 -P50 -I{} sh -c '
    ns=$(dig NS "$1" +short | sed "s/\.$//") || exit 0
    for n in $ns; do
      dig +short "$n" A "$n" AAAA >/dev/null || echo "$1 -> $n (dead-ns)"
    done
  ' -- {}

The “I value my wrists” version with nsfckup:

# single target
nsfckup example.com

# many targets, with parallelism and verbose traces
cat domains.txt | nsfckup -c 50 -v

Copy me:

# Minimal pipeline: domains -> findings
cat domains.txt | nsfckup -c 40 -v | tee ns-findings.txt

What nsfckup actually checks (in slightly more adult clothes):

  • Nameserver targets exist and resolve to at least one address.
  • The target isn’t an obviously unregistered domain (NXDOMAIN/WhoIs empty).
  • Optional: the server answers authoritatively for the zone (not REFUSED/SERVFAIL forever).

If any of those don’t hold, you’ve probably got a nameserver pointed at a vacant lot with a very inviting “For Lease” sign. That’s the moment to raise a calm, professional report—ideally before a less calm, less professional person does anything creative.

Two tips that will save Future You:

  • Buy your own typos. If your brand is “AwesomeHosting,” get the “Awseome” and “Awsome” and “Aweosme” variants before the internet does. It’s cheaper than incident response.
  • Treat nameservers like production databases: change-controlled, peer-reviewed, and never edited after 11pm while semi-feral children ask for water.

Typos are human. DNS is not. It’s a very literal machine wearing a tie. If you tell it to trust “ns1.awseomehosting.com,” it will do so with the unwavering loyalty of a golden retriever fetching the wrong stick for six months.

Disclaimer: the affected domain was not actually “awseomehosting.com.” Which means, yes, you could still go buy it. Please don’t. Or do, and then write a responsible disclosure email so polite it makes the recipient weep.

Report snippet (paste into your program/owner):

Title: Potential nameserver typo enables subdomain/zone control

Domain: example.com
Observed NS: ns1.awseomehosting.com (unresolvable), ns2.awesomehosting.com, ...
Evidence:
  - dig NS example.com +trace → ns1.awseomehosting.com
  - dig +short ns1.awseomehosting.com → (no A/AAAA)
Impact: Delegation to an unresolvable (potentially registrable) NS could allow an attacker to serve authoritative DNS for the zone, enabling subdomain takeover, phishing, or mail interception.
Actions taken: No exploitation performed and no infrastructure registered. Discovery only.
Recommended fix: Correct NS entries; consider registering common typos; add change control for DNS.