Github pages should use Domain name verification for custom domains.

The problem : Github pages allows anyone to claim the CNAME of any website. By adding a CNAME file to a github.io pages repo. If you migrate to github pages after this you will get the following warning when you try to deploy:

"The page build completed successfully, but returned the following warning for the master branch:

The CNAME \<domain\> is already taken. Check out https://help.github.com/articles/troubleshooting-custom-domains#cname-errors for more information."

 Github requires no DNS validation that you actually own the domain as a result anyone can claim your domain  or your sub domains. This seems to be a known issue: https://help.github.com/en/github/working-with-github-pages/about-custom-domains-and-github-pages#updating-custom-domains-when-your-github-pages-site-is-disabled

Especially an issue for subdomains: 

“Warning: We strongly recommend not using wildcard DNS records, such as *.example.com. A wildcard DNS record will allow anyone to host a GitHub Pages site at one of your subdomains.”

The solution : Github should require a domain to validate against a TXT  definition defined by the dns provider used by the domain owner. In fact this would require no new code for github as they already do domain name ownership verification but it is only used for github badges for github groups. https://help.github.com/en/github/setting-up-and-managing-organizations-and-teams/verifying-your-organizations-domain

Is anyone else doing domain name verification? Yes gitlab is: https://docs.gitlab.com/ee/user/project/pages/custom_domains_ssl_tls_certification/#2-get-the-verification-code

Hi @farzonl,

Thank you for your thoughtful post!

You’re right that GitHub Pages doesn’t currently require any verification when configuring a custom domain. We chose this design due to its low friction, but it does mean that any GitHub user can claim any custom domain, so long as the domain’s DNS records point to GitHub, and it isn’t already in use on another repository.

The risk of another user accidentally claiming a specific custom domain is low, and for the most part we haven’t seen this design causing users trouble. That said, we have seen some cases of opportunistic ne’er-do-wells strategically claiming custom domains they find to be available.

Our engineering team is investigating potential improvements to prevent this in future. If you’d like to add your thoughtful analysis to their considerations, you can submit product feedback directly here:

https://support.github.com/contact/feedback

Regards,

Lindsay