Tuesday, April 4, 2017

DNS Hijacking?

I have a DNS hijacking theory.

Route 53 is Amazon's elegant DNS web service. DNS is the part of the Internet that converts domain names, like apple.com, into IP addresses such as 17.172.224.47. This is how humans contact computers on the Internet. While DNS is robust, resilient, and redundant, it is the Internet's single point of failure.

So, here's my theory. Websites, like adweek.com, use Route 53:

dig adweek.com ns

returns:

adweek.com. 172800 IN NS ns-304.awsdns-38.com.
adweek.com. 172800 IN NS ns-532.awsdns-02.net.
adweek.com. 172800 IN NS ns-1322.awsdns-37.org.
adweek.com. 172800 IN NS ns-1571.awsdns-04.co.uk.

This means the first time you visit adweek.com, your web browser/ISP will ask one of the Internet's root servers for adweek.com's registrar (i.e., where is the domain name, adweek.com, registered). The root servers will tell your web browsers that adweek.com is hosted at moniker.com (Moniker is a domain name registrar, similar the well-known GoDaddy). The next step is that your web browser will ask Moniker where adweek.com's DNS servers are located. These are referred to as the DNS name servers, or NS for short. As seen above, the response will point your browser to Route 53 which answers with four different servers for redundancy. The final step is that your web browser will query any one of these four servers for the physical IP address of adweek.com. All of these steps happen in the blink of an eye.

Now here's the hijacking part. What if I go to my own Route 53 account, create an entry for adweek.com, and start adding records? When I did this, Route 53 assigned the following four NS servers to me:

ns-715.awsdns-25.net.
ns-1787.awsdns-31.co.uk.
ns-396.awsdns-49.com.
ns-1263.awsdns-29.org.

There should be no hijacking problem since Route 53 assigned four NS servers to me that are different than adweek.com's NS servers. In other words, I cannot hijack adweek.com's Internet traffic in this case. But what if Route 53 had assigned to me an NS server that was the same as adweek.com's NS server? Then, I'm speculating, I could redirect at least a small portion of adweek.com's traffic to wherever I wanted to.

Perhaps this isn't an issue because Route 53 ensures that it never duplicates NS servers names. That would be an expensive proposition, but certainly doable. From there, if my theory holds true, then what about simpler DNS hosts, such as GoDaddy whose DNS servers seem to be limited to nsXX.domaincontrol.com, where XX appears to be a double digit number? This means that many different domain names are using the same DNS server names. Would that make it possible to hijack some traffic from websites sharing the same DNS server? I'm sure that DNS implementations are robust enough that this isn't an issue, otherwise it would have occurred by now. But, with my understanding of the DNS RFC, I don't know how this hijacking issue has been avoided.

So, how has this DNS hijacking scenario been prevented? I'd love to know.



1 comment:

Sandy Wilbourn said...

You could certainly send dns traffic to the same server if you shared name servers. Those kinds of attacks are seen. For example, the Dyn attack last fall DDoS'd Dyn's servers, which meant that other domains like twitter.com were effected, at least at the DNS level. For individual domains, the services such as route 53 or godaddy don't allow you to define sub domains in the adweek.com domain, but that is enforced by the system on top of the DNS, not the RFCs themselves. Hackers have attacked many of these services from time to time to redirect traffic from well known domains to some rogue IP address