Seems like GitHub could solve this by making users verify they own a domain name by adding a value to a txt record rather than just seeing the domain points to github and letting any repo use it.

You actually can do that. https://github.com/settings/pages

Thank you; just did that for my domain I use with GH Pages. They should really mention that in the setup instructions.

I’ve set up two static pages with custom domains using GH Pages in the past couple of months, and both times I had to go digging in the docs before I found the verification page as part of trying to figure out why https wasn’t working. Fucking inexplicably poor UX design from GH. If I add a custom domain, just ask me to verify it.

You can do it, iirc they even stress doing so in the docs for GitHub Pages if you don't want your domain to be stolen

Practically, it's not limited to GitHub Pages, though.

By the way, even while a custom domain is still pending verification, the GitHub Pages LB will route the request based on the Host header, allowing for the following:

    dig +short github.io | head -1
    185.199.108.153

    curl -H "Host: 42.news.ycombinator.com" 185.199.109.153
    hello

Another fun trick: You can also use wildcard DNS services like nip.io/sslip.io for alias domains, such as `my-page.185.199.108.153.sslip.io`. (Not sure of any practical use cases, though.)

Something similar once happened to me with an old domain with nameservers I had pointed to DigitalOcean from my registrar.

Managing DNS through DigitalOcean (although, this should be possible with any DNS service) requires both pointing the nameservers to that service and adding the domain to your account. If you delete the domain from your account, like I had, but forget to update the nameservers with your registrar, anyone else can claim the domain. Theoretically, if you redirect the nameservers first and then add the domain to your account, someone could swipe it from you, I guess. Though it would basically have to be pure luck.

Why is it always slot machines though?

Your DNS config 5-7 rows are the culprit.

Don't point a wildcard domain to Github. It's a wildcard and dangerous.

Yep! Fixed it already!

>how long it’s been abused?

I would say probably 10 years, I remember reading about the CNAME github issue around 2015 or so, as before that most used to use jekyll with gh pages, was very popular among indie developers

Why is securely setting up custom domains for github pages so error prone? The `<user>.github.io` CNAME record already contains the username. So why can another user steal it?

edit: apparently CNAME can't be used for TLD+1, only for subdomains, so you have to use a more error prone approach for those.

You told your NS to forward any request to GitHub, a platform you don't own.

I think this is the expected outcome.

It's good you noticed and shared your findings, but to me this "works as intended"

Please don’t scold people on HN. That’s not the style of discussion we’re trying for here.

https://news.ycombinator.com/newsguidelines.html

I'm not scolding, I'm explaining what happened. The post uses the word "abuse" for something that was the expected outcome.

It's like saying "my motorbike was stolen" when you let the key in the ignition for a day in the favelas. What did you expect exactly?

I wrote it down and posted it for others to learn, and to see if Github can make it harder for scammers to abuse the mistakes of others!

You wildcarded any traffic to github.com and thought, "eh, they probably check" and are wondering who is at fault? It's you.

You didn't think through the consequences, and you could learn a bit more about DNS.

> are wondering who is at fault? It's you I know, that's why I wrote it down.

I did not expect that Github facilitates other accounts creating scam pages under the domain I own...