[dns-operations] BGP Hijack of Amazon DNS

bert hubert bert.hubert at powerdns.com
Thu Apr 26 18:30:38 UTC 2018

On Thu, Apr 26, 2018 at 02:11:15PM -0400, Viktor Dukhovni wrote:
> What's interesting to me here is that hijacking the routes to a DNS-hosting
> provider for a large number of domains enables attacks that then compromise
> many target domains, that would be more difficult to compromise collectively
> via BGP alone.

Another important thing is that even a brief BGP hijack of DNS *persists*.
A 5 minute takeover can poison people's caches for a day or more. 

I've been pondering a bit if you could attempt to use a takeover to change
NS records for TLDs.  So you hijack a query for www.powerdns.com to a gTLD
server & return some fresh NS records pointing to new IP addresses.  I think
that if you use a shorter TTL than the resolver already had in its cache,
these NS records might stick.

But in any case, a 1 minute BGP hijack of a big nameserver could have
effects that last for a day or more. Unlike a direct hijack of a webserver
or mailserver IP address.

And I think a 1 minute BGP hijack is quite feasible, far more so than
keeping it going for a day.

Btw, it has been noted that injecting a cached HTTP(s) 302 would achieve
something similar if you hijack a webserver IP.


More information about the dns-operations mailing list