Route 53 is Amazon's elegant DNS web service. DNS is the part of the Internet that converts domain names, like apple.com, into IP addresses such as 17.172.224.47. This is how humans contact computers on the Internet. While DNS is robust, resilient, and redundant, it is the Internet's single point of failure.
So, here's my theory. Websites, like adweek.com, use Route 53:
dig adweek.com ns
returns:
adweek.com. 172800 IN NS ns-304.awsdns-38.com.
adweek.com. 172800 IN NS ns-532.awsdns-02.net.
adweek.com. 172800 IN NS ns-1322.awsdns-37.org.
adweek.com. 172800 IN NS ns-1571.awsdns-04.co.uk.
Now here's the hijacking part. What if I go to my own Route 53 account, create an entry for adweek.com, and start adding records? When I did this, Route 53 assigned the following four NS servers to me:
ns-715.awsdns-25.net.
ns-1787.awsdns-31.co.uk.
ns-396.awsdns-49.com.
ns-1263.awsdns-29.org.
There should be no hijacking problem since Route 53 assigned four NS servers to me that are different than adweek.com's NS servers. In other words, I cannot hijack adweek.com's Internet traffic in this case. But what if Route 53 had assigned to me an NS server that was the same as adweek.com's NS server? Then, I'm speculating, I could redirect at least a small portion of adweek.com's traffic to wherever I wanted to.
Perhaps this isn't an issue because Route 53 ensures that it never duplicates NS servers names. That would be an expensive proposition, but certainly doable. From there, if my theory holds true, then what about simpler DNS hosts, such as GoDaddy whose DNS servers seem to be limited to nsXX.domaincontrol.com, where XX appears to be a double digit number? This means that many different domain names are using the same DNS server names. Would that make it possible to hijack some traffic from websites sharing the same DNS server? I'm sure that DNS implementations are robust enough that this isn't an issue, otherwise it would have occurred by now. But, with my understanding of the DNS RFC, I don't know how this hijacking issue has been avoided.
So, how has this DNS hijacking scenario been prevented? I'd love to know.
You could certainly send dns traffic to the same server if you shared name servers. Those kinds of attacks are seen. For example, the Dyn attack last fall DDoS'd Dyn's servers, which meant that other domains like twitter.com were effected, at least at the DNS level. For individual domains, the services such as route 53 or godaddy don't allow you to define sub domains in the adweek.com domain, but that is enforced by the system on top of the DNS, not the RFCs themselves. Hackers have attacked many of these services from time to time to redirect traffic from well known domains to some rogue IP address
ReplyDelete