Any owner of a domain may affix a managed domain in A record or CNAME record. This would enable the owner, regardless if they are malicious or not, to point to any IP address on the internet. But if the webmaster is using name-based virtual hosts then the webmaster’s website will presumably be merely accessible via the hostname particularized in the ServerName and ServerAlias directives.
One admonition with name-based virtual hosts is that the first vhost attached to that IP address/port is regarded as its default vhost. Hence, even employing name-based vhosts can be inefficient since a request to an unknown hostname may still be routed to the webmaster’s site if it happens to be the first vhost in the webmaster’s configurations. Conceivably, you can elude this by binding the VirtualHost to a specific hostname/domain.
Clearly, this could cause issues of its own if you don’t own the domain. Another way to avert this is to just set the first name-based VirtualHost apart as the default VirtualHost and provide an error message to the client. Nevertheless, if the webmaster is utilizing IP-based virtual hosts or no vhosts and the ‘primary server’ is purely bound to the IP, then any request to that IP will ultimately reach the webmaster’s site, regardless of the hostname.
When someone is resolving their site’s domain to your site’s IP, you can prevent them in many ways such as:
1. Block rogue domain
Edit your .htaccess file in your root directory and add in the following code.
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(www\.)?[OFFENDINGDOMAIN]\.[TLD]$ [NC]
RewriteRule (.*) – [F]- Replace “OFFENDINGDOMAIN” with the domain that is pointing the malicious threat actor’s DNS records to your IP address.
- Replace “TLD” with .com or .net depending on the threat actor’s domain.
This will result in a 403 Forbidden response to any HTTP requests that are coming from the offending domain and/or any subdomains associated with it. If you prefer something shorter, use the following code instead.
RewriteCond %{HTTP_HOST} OFFENDINGDOMAIN\.st$ [NC]
RewriteRule ^ – [F]There are various ways to customize your options. Notably, you could employ [G] instead of [F] which would return a 410 Gone response instead of 403 Forbidden which would effectively render the search engines to swiftly delist all webpages on the rogue domain.
2. Redirect the rogue domain
You can redirect the rogue domain to your own domain. Add the following code to your .htaccess file.
RewriteCond %{HTTP_HOST} OFFENDINGDOMAIN\.st$ [NC]
RewriteRule ^(.*)$ https://YOURDOMAIN.com/$1 [L,R=301]Alternatively, you can add the following code to your .htaccess file instead.
RewriteEngine on
RewriteCond %{HTTP_HOST} !OFFENDINGDOMAIN\\.com [NC]
RewriteRule .? https://YOURDOMAIN.com%{REQUEST_URI} [R=301,L]3. Block rogue subdomains
If the adversary is redirecting their own rogue subdomains to your site’s domain, you can block them by giving them a “403 Forbidden” response. Add the following code to your .htaccess file.
RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_HOST} ^SUBDOMAIN\.OFFENDINGDOMAIN\.com$ [NC]
RewriteCond %{REQUEST_URI} !^/SUBDOMAIN(/|$) [NC]
RewriteRule (.*) – [F]Conclusion
Remember to backup your .htaccess file prior to making any modifications on a production site. These above methods are simple and you only use .htaccess and mod_rewrite to essentially ‘correct’ the domain name being visited.
Hide Apache Web Server signature
To hide Apache Web Server signature, add the following line to your .htaccess file.
ServerSignature OffIf an adversary decides to mirror your site and you implement restrictions to prevent it, they will be unable to see what server or version you are using when any error like a 403 is elicited.
Report someone for mirroring your website
You can grab the WHOIS information on the rogue domain and send an email to the address listed for reporting abuse. It’s great if you can gather some information from the web server logs and ask the service provider to terminate appropriately.
