9

I found that some domain (namely bajajra.com) is pointing to my website's IP address. I am using IIS 10 to host my website. How can I restrict the access to all such unauthorized domains?

This question is similar to this one, but I am looking for solution based on IIS. How can I make it so that my website can only be accessed from my domain name (ex. example.com)?

Joel Coel
  • 12,932
  • 14
  • 62
  • 100
Vikas Sharma
  • 93
  • 1
  • 4
  • 1
    While it won't "restrict" access, if you use HTTPS, other domains will cause users to see a certificate error when they visit it, thus letting them know something is wrong. – Scott Stevens Oct 24 '17 at 01:56
  • 1
    You can't stop them from pointing their address at your server. What you *can* do is make sure the default page that your server offers up when it's asked for a host it has no specification for is entirely unhelpful. – Shadur Oct 24 '17 at 07:11

2 Answers2

12

There are two issues you could be describing here. The first is someone simply setting up a DNS binding to your IP address. Preventing this in IIS is extremely simple. You simply alter the hostname bindings in IIS such that your content is only served when particular hostnames are requested. There is most likely currently a wildcard binding that you will need to remove as well so that only the bindings you intend can be resolved. (This is also how multiple websites can be hosted on a single IIS web server.)

From IIS connections, you'll be able to right click on a particular site to access the "Edit Bindings..." dialog.

IIS Site Settings

This dialog will show all the bindings setup for what requests this site should respond to. The hostname is the valid hostnames for which the binding should resolve to this site. One site can have many distinct bindings, as seen here.

IIS Binding Dialog

The settings on a particular binding let you set the hostname that should resolve to this site. You can also set things like SSL cert configurations here.

IIS Binding Settings

The second possible problem is hot-linking. With hot-linking, it isn't a direct call to your IP address, but rather setting up something on a different domain to reference things on your domain. This can be done through several different means, but most of them require at least some server to be giving instructions prior to accessing your site. Hotlinking is a little bit harder to prevent, but you can set tests about the referrer asking for an asset and only provide the asset if the referrer matches. Since the client browser supplies this information, it will be difficult for a third party to attempt to make the browser provide incorrect information to your server and thus the filtering should be generally effective.

AJ Henderson
  • 369
  • 3
  • 15
  • thanks for having a look at my question, it seems like its the first possibility in my case (I tried looking nslookup for the website and ip address is same as mine). In order to resolve it, I tried 1. Enabling Domain restriction at IIS 2. Then adding just one allow entry i.e. for my domain and deny for all unlisted clients However, its not working as expected. Please help me out to identify where exactly I have to remove the wildcard binding as you mentioned or what are the steps to restrict access for all domain names other than the one that I own. – Vikas Sharma Oct 23 '17 at 16:40
  • @VikasSharma take a look at my edit. I have added screenshots from my IIS server. My server's configuration is a bit more complex than it sounds like yours will need to be, but it should give you an idea of what it should look like. You will likely not have as many distinct sites, IP addresses or host names as I do, but you may end up using multiple bindings or possibly just a partial wildcard (ex "*.yourdomain.com") In my case, I only wanted specific subdomains to resolve and I have some subdomains with different sites or routing rules (or not being handled by IIS at all.) – AJ Henderson Oct 23 '17 at 16:53
  • thanks! It worked for me. As you mentioned, in my case adding partial wildcard "*.yourdomain.com" will suffice. However, I have one more doubt, Is it necessary to give IP address or (What harm can ""all unassigned IP" can do?) – Vikas Sharma Oct 23 '17 at 17:09
  • @VikasSharma - it is fine to use all IP addresses in your case. I have to use specific IPs because I have services that don't route through IIS so I can't bind them and have some IPv6 IPs that I don't want to resolve certain sites as I'm using service specific IPv6 addresses. My server responds to 30+ IP addresses (mostly IPv6, though I've had multiple IPv4 addresses at one point where I needed to prevent reverse lookup for a while on one domain) and another point where I had a streaming media server that needed it's own separate IP binding. – AJ Henderson Oct 23 '17 at 17:10
  • It sounds worse than this... more likely a Google search rank attack. Sometimes competitors or shady marketers will setup a "fake" web site that looks like your real site, or another made-up competitor. They may even pull image and css resources from your real site. Then they'll trash that site's reputation in Google. Finally, they'll direct that site to you with a DNS entry (which is what I think the OP is seeing), and use link networks from similar shady sites to get Google to associate this site with your real business, and therefore hurt your Google ranking. – Joel Coel Oct 23 '17 at 22:09
  • @joelcoel that's a separate issue and one that is easily enough resolved using Google's webmaster tools, but that wasn't what the question was about either. It was just about how to prevent them from posting the website as another site. – AJ Henderson Oct 24 '17 at 02:34
-1

There's very little you can do to prevent the administrator of another domain from using your IP in their A record.

If you feel they are trying to violate some law or injure your business in so doing, you might bring the issue to the attention of their dns provider, or registrar.

The other answer here, regarding filtering http servernames, can help you ignore their actions, and limit the damage they can do to you. But it will break your site for any browser that doesn't support http hostnames.

Consider also how easy it would be for bajajra.com to simply operate a forwarding web proxy directed at your site. Limiting servernames you allow (as provided in the other answer) won't stop that, and it will in fact put your customers at greater risk because the attacker will be able to use the proxy to spy on them and tamper with your content.

Billy left SE for Codidact
  • 174
  • 1
  • 1
  • 7
  • 1
    Host is the only mandatory request header in HTTP/1.0 and HTTP/1.1, almost all servers will give you a 400 Bad Request response if you omit it. – Nulano Oct 23 '17 at 22:16
  • True. Not all internet traffic is http though either. An A record alone doesn't mean web. Who knows what the bad guy is up to. – Billy left SE for Codidact Oct 23 '17 at 22:19
  • 2
    ``But it will break your site for any browser that doesn't support http hostnames.`` HTTP/1.1 has been around for 20 years now and if you're one of the very few who use a browser that doesn't support it, it's not the webmasters problem. – SameOldNick Oct 23 '17 at 22:26
  • 3
    @Nulano `Host` isn't part of HTTP/1.0, though most browsers provide it and servers accept it anyway. It was added/required in HTTP/1.1. – Bob Oct 24 '17 at 00:21
  • I can't agree there is very little you can do. You can do a ton if they direct the domain to your server. You can change what is displayed to any user accessing the domain to make it obviously different, you could even get a valid SSL certificate for the site using Let's Encrypt's file based domain validation. No remotely modern browser doesn't support host names so that's just silly, subdomains wouldn't work either and that blocks off a significant portion of the web already. – AJ Henderson Oct 24 '17 at 02:46
  • As far as a web proxy, that would require expense of hosting on the attackers part and hotlink protection as I mentioned in the second part of my answer would greatly increase the cost as they'd need to host all assets themselves. If it's a live web proxy you'd also be able to identify the IP address and serve different content to the proxy. You could permanently lock them down for any visitors to their site by serving a permanent HPKP to an invalid certificate. Any users that accessed the invalid domain while it was hosting the HPKP would error out on future requests. – AJ Henderson Oct 24 '17 at 02:51
  • The question was how can you stop someone from using your IP in their A record. Pontificate all you like about it, but you can't stop someone from doing that. – Billy left SE for Codidact Oct 24 '17 at 19:26