Pantheon DNS protection [FEAT - 1293]

Currently, when you point a DNS entry at Pantheon, if you aren’t linking to an existing site, you are subject to domain hijacking. Another Pantheon customer can add your domain to their site, and start serving up visitors to your domain. I think this is especially true at larger organizations (enterprise customers), with lots of red tape with DNS and many many DNS entries, it’s possible to lose track of a domain here and there, and you are more likely to be susceptible to this behavior.

It would be great if Pantheon could implement some tool where a domain gets reserved for a customer. For example, if my domain is widget.com, and I could go through whatever steps to validate I own the domain, no other Pantheon customer should then be able to add a *.widget.com domain to their account. That would ensure that no one could launch an evil-doer site under your brand (domain).

Hey Dave!

Thanks for popping in to share that feedback with our team! I see quite a DNS specific tickets have already been submitted to JIRA. But I am going to add yours as well :slight_smile: I am sure the team already has enough information, but I always like to ask – are you okay to be contacted in the event they would like to chat @dpagini?

Yes, please feel free to reach out.

1 Like

Thanks Dave!

Also it’s like the universe knew we were talking :world_map: Looks like domain verification will be required going forward.

https://status.pantheon.io/incidents/53pq1528p18d

Yes, I saw this come out today and have reached out to our account manager for more information. I’m wondering if this potentially means that other users cannot hijack the widget.com domain (in my example above), but now we have sort of lost the ability to launch a new site in a quick manner.
Sort of a “one step forward, two steps back” result.

I have heard the same sentiment in Slack yesterday actually. I have shared this feedback with the team, so I am sure they will have some more documentation out around this soon to clear up any concerns/questions. I know you reached out to your AM but I will also try and do some digging for you, since I am not sure personally. Hang tight!