7

I'm asking this for purely academic reasons.

I know that there are domain record lists and whatnot, but I'm trying to understand the exact structure of how DNS works and where someone can potentially take over a domain name. Even if my web-app has absolutely no holes in it, can't someone just change the domain records to point elsewhere and hijack my traffic?

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Moshe
  • 1,721
  • 3
  • 16
  • 22
  • this question is only about DNS registrar issues or you would like to know about mitm attacks? Because those are two different questions from the technical point of view. –  Nov 21 '10 at 16:24
  • @Ams - I was asking more about mitm, not registrar issues, but I don't know enough to differentiate much. – Moshe Nov 21 '10 at 16:51

3 Answers3

6

Domain hijacks don't happen via web application hacks, but are usually via vulnerabilities in the domain registrar's system, or by managing to intercept/take over the email accounts the domains are registered to - so the attacker can reset the passwords and intercept the transfer emails, agreeing to the transfer.

Normally it'll happen by managing to convince the domain registrar that the attacker is the owner of the domain, using personal information about the domain owner to access their account on the registrar and then either switch the DNS servers to an attacker's DNS servers from where they can redirect how they like, or by transferring the domain to the attacker.

Or of course there's simply waiting for the domain to expire and grabbing it before it's renewed.

ICANN produced a report in 2005 about this issue, covering the risks and actions you can take.

blowdart
  • 859
  • 4
  • 5
2

Even if you don't officially take over someone's domain name, you might still be able to "take over their domain name". That is, temporarily.

  • DNS poisoning (basically pusing the results of a non-existant query)
  • Hosts overwriting - on Windows there is a hosts file that overrides DNS. Entries put in there will not even ask DNS for an IP, but will go straight there. If I can do that in any way - interactive access, app flaw that lets me write to files, etc - I can effectively take over any website, accessed from that machine.
  • Domain squatting on commonly misspelled words (e.g. googel.com)
  • DNS Rebinding. This is a more complex issue, I suggest you also read up on RSnake's blog.
  • As for MITM, RSnake again has a nice list of possible vectors.
AviD
  • 72,138
  • 22
  • 136
  • 218
1

Man-in-the-middle attacks against DNS rely on being able to craft a reply to a victim machine's DNS request that gets received by the victim before a legitimate reply. So you might send UDP packets that claim to be from the victim's DNS server and claim that www.victimsbank.example has an A record of attacker.evilpeople.example's IP address. When the victim goes to visit that site, if your packet gets there before the real result, off they go to the attacker's server.

  • This requires more resources than actually changing the records though, because there is one record and many users. – Moshe Nov 22 '10 at 00:22
  • @Moshe that depends on whether the attacker is targeting a victim or being indiscriminate. It's probably easier to do this at a Starbucks than to go to the registrar. Besides, you did say you were interested in mitm... –  Nov 22 '10 at 07:48