What prevents me from setting up an A name entry for “google.ca” to whatever IP address I want?

55

9

When I pointed my GoDaddy domain name to the IP address of the GCP VM running my web server, this is all I had to do:

  1. Change GoDaddy nameservers to GCP nameservers
  2. Create A/CNAME/SOA entry in GCP DNS for my domain to my IP address

What prevents me from doing the same thing for any domain in the world?

As a matter of fact, I did:

Screenshot

I created a CNAME, A, SOA entry for google.ca to my VMs external public IP address and nothing stopped me. Now I don't expect all of Google's traffic to start directing towards anywhere I want (that would be a fun DDOS), but what's going on here? What am I missing?

My intentions aren't unethical. I'm simply trying to learn how it all works.

Sedky Abou-Shamalah

Posted 2020-02-12T20:32:05.650

Reputation: 641

2I don't use GoDaddy, but on my DNS host when it say something like domain.something. that last dot is indicating it's still a subdomain of whatever domain I'm editing records for. Are you sure you're not actually making records for google.ca.mydomain.com? – Logarr – 2020-02-13T15:52:16.047

18

@Logarr Are you sure? Normally it is the other way around: Without the final dot domains are relative, with the final dot absolute domains are given.

– Marcel Krüger – 2020-02-13T18:58:25.247

2Congratulations! You found a way break the internet. – Pablo – 2020-02-14T17:42:18.400

better to hide your public IP in the image – dev-masih – 2020-02-15T10:12:00.163

Oh, I found a big red button that looks scary. Let's try what it does! (No worries, just trying it was the right thing to do here. And quite interesting!) – Volker Siegel – 2020-02-16T03:39:50.287

1Don’t forget to accept one of the answers! If you need further clarification, please don’t hesitate to ask. – Daniel B – 2020-02-16T21:33:35.980

Answers

81

Nothing is stopping you. However, nobody will take a look either. That’s because the real domain isn’t pointing at your name server (GCP DNS). One could only get these records by directly asking your name server for them.

DNS queries start at the root:

$ dig google.ca +trace

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> google.ca +trace
;; global options: +cmd
.                       68215   IN      NS      h.root-servers.net.
.                       68215   IN      NS      k.root-servers.net.
.                       68215   IN      NS      i.root-servers.net.
.                       68215   IN      NS      g.root-servers.net.
.                       68215   IN      NS      a.root-servers.net.
.                       68215   IN      NS      b.root-servers.net.
.                       68215   IN      NS      d.root-servers.net.
.                       68215   IN      NS      f.root-servers.net.
.                       68215   IN      NS      l.root-servers.net.
.                       68215   IN      NS      e.root-servers.net.
.                       68215   IN      NS      j.root-servers.net.
.                       68215   IN      NS      m.root-servers.net.
.                       68215   IN      NS      c.root-servers.net.
;; Received 553 bytes from 192.168.2.5#53(192.168.2.5) in 31 ms

ca.                     172800  IN      NS      c.ca-servers.ca.
ca.                     172800  IN      NS      x.ca-servers.ca.
ca.                     172800  IN      NS      any.ca-servers.ca.
ca.                     172800  IN      NS      j.ca-servers.ca.
;; Received 626 bytes from 202.12.27.33#53(m.root-servers.net) in 24 ms

google.ca.              86400   IN      NS      ns1.google.com.
google.ca.              86400   IN      NS      ns2.google.com.
google.ca.              86400   IN      NS      ns3.google.com.
google.ca.              86400   IN      NS      ns4.google.com.
;; Received 603 bytes from 199.253.250.68#53(x.ca-servers.ca) in 42 ms

google.ca.              300     IN      A       172.217.16.163
;; Received 54 bytes from 216.239.32.10#53(ns1.google.com) in 22 ms

(I trimmed out the DNSSEC stuff for brevity.)

Usually of course you wouldn’t perform an iterative query yourself. A recursive DNS server will do it for you, a lot quicker, too.

Daniel B

Posted 2020-02-12T20:32:05.650

Reputation: 40 502

7Wouldn't be be able to do shenanigans if he controlled the name server for a given network (e.g. the name server for a corporate intranet), since it'd be the first server a given user's computer consulted? – nick012000 – 2020-02-13T10:54:59.690

1also your own name-server would only be asked for an answer if NO other name-server provided one ... as they are hierarchically organized you can assume that most well known addresses are resolved WAY before your name-server is asked. People with malicious intend fire ddos attacks at the higher name-servers to force the hierarchy to ask to resolve it using their manipulated name-servers - yes @nick012000 .. in his organization he could do shenanigans - but only for people who only use his (corporate) name-server. Most use additional name-servers ;-) – eagle275 – 2020-02-13T10:57:38.207

9

It's worth noting that HSTS is a mitigation against this. Even if one were to set up private DNS with records for well-known sites and then set up phony versions of those sites, a user attempting to visit those sites would be redirected by their browser to the HTTPS version of the site, which would either fail or show an invalid certificate warning.

– saucecontrol – 2020-02-13T11:14:05.430

@saucecontrol, if you control the DNS of some domain, you should be able to get a Let's Encrypt certificate for it. – ilkkachu – 2020-02-13T12:38:18.333

8@ilkkachu The HSTS mitigation was in response to having a private DNS server that resolves to a malicious IP, not access to the authoritative nameserver. Let's Encrypt resolves the site from multiple locations and queries from multiple IPs before issuing a certificate. HKP would be a further mitigation against malicious certs. – Tyzoid – 2020-02-13T16:14:01.353

@nick012000, then he wouldn't be in charge of that corporate name server for long, would he? – Dave – 2020-02-13T17:34:01.153

@eagle275, this isn't really true. On networks that have their own internal name servers, which is most, those servers are queried first, and it's trivial to configure them not to recurse for a particular domain name. But then see my reply to nick012000. – Dave – 2020-02-13T17:34:55.087

Chat’s over here, m’kay? – Daniel B – 2020-02-13T17:59:18.783

7@nick012000 besides shenanigans, it makes a perfectly valid method for applying a company policy. For example, you can make facebook or youtube browser requests to go to a company policy memo (or a local jobs site, as we once did for a client). – fraxinus – 2020-02-13T21:42:45.897

@Tyzoid Pardon, but what is HKP? – iBug – 2020-02-14T07:44:09.683

@nick012000 That's kinda what a firewall is (grossly simplified). Once you control the name server, you control access to the outside world. This is just part of controlling an intranet. I guess whoever controls the intranet can perform "shenanigans" with that control. – Acccumulation – 2020-02-14T20:06:44.250

@saucecontrol what if they set up a malicious certificate authority on the local network as well? – PyRulez – 2020-02-14T22:56:05.973

3@PyRulez Either your pc by default ignores the unknown certificate authority, or your pc is property of the company with the "malicious" CA preinstalled. In the latter case it may be the case that the pc does as the owning company wants more than as you want ... – Hagen von Eitzen – 2020-02-14T23:01:14.067

@ nick012000 (presuming meant "Wouldn't be be able") Yes. If he controlled a DHCP server that pointed people to the local DNS server, the local DNS server could provide such bad information. (A client could override this by manually choosing a known public DNS server.) – TOOGAM – 2020-02-15T11:51:09.643

@HagenvonEitzen okay, so CAs are generally preinstalled. That makes sense. Thanks! – PyRulez – 2020-02-15T14:03:58.353

"(I trimmed out the DNSSEC stuff for brevity.)". Just add +nodnssec to your dig CLI next time and it won't display DNSSEC related information (which is orthogonal on doing or not DNSSEC validation, which is the +cd flag). Note that you can trim flags, so I often use +nodns to just confuse people... ("Wait, what, dig with no DNS?") – Patrick Mevzek – 2020-02-21T21:19:52.860

"Wouldn't be be able to do shenanigans if he controlled the name server for a given network (e.g. the name server for a corporate intranet), since it'd be the first server a given user's computer consulted? " Yes, but less and less so with the advent of DNS over TLS and even more DNS over HTTPS used by browsers, like Firefox, to disregard completely your local DNS settings and just go out asking CloudFlare to do DNS resolutions for you. – Patrick Mevzek – 2020-02-21T21:21:14.043

"It's worth noting that HSTS is a mitigation against this" No it is not, except if you pin the keys. If you control resolution, it is trivial to get DV certificates, so HTTPS is fine. DNS TLSA records on the other end are a mitigation to this (this is DANE, because you basically encode parts of the certificates in the DNS), but only with DNSSEC in which case even if you control the resolution, you won't make the responses DNSSEC valid. – Patrick Mevzek – 2020-02-21T21:22:44.703

@iBug HKP is in fact HPKP or HTTP Public Key Pinning. This allows a website to say to the browser: please accept HTTPS connections to me only with certificates having public key being X or Y (in summary). This basically insures that you can not connect to something pretentind to be the website but using another certificate. However in practice this is not anymore (never was) a real solution: browsers are slowly deprecating it over things using Certificate Logs, and you have the problem of first access anyway (how to disseminate the proper keys to use?). DNS TLSA records are a better solution – Patrick Mevzek – 2020-02-21T21:28:37.190

30

Suppose it's 1980, and telephone books are still a thing. What's to stop you from going to Kmart's entry in your phone book, and replacing their phone number with the phone number for your store? Absolutely nothing. You are free to do this, and if you use that phone book, every time you try to call Kmart, you'll get your own store. You can relabel phone numbers to your heart's content.

Thing is, everyone else has their own phone book, and they aren't looking at yours. Unless you can break into the phone company and change Kmart's phone number there so that the phone books they send out will have your business's number, you aren't going to deny any business to Kmart.

Similarly, if you decide that you're tired of typing incrediblylongdomainnamethattakesaridiculouslylongtimetotime.com and you don't want to rely on autocomplete, you are free to set up a server that has short.com resolve to incrediblylongdomainnamethattakesaridiculouslylongtimetotime.com 's IP address, and have your computer use that server to resolve domain names. But unless you can get other people's computers to use that server too, you're not going to affect what happens when they type short.com into the address bar.

Acccumulation

Posted 2020-02-12T20:32:05.650

Reputation: 439

8Basically, it's like putting the title "President of the United States" on your business cards. Most people in the world will never see one. Most of the people who do will roll their eyes and ignore it. – ceejayoz – 2020-02-14T21:57:54.067

3@ceejayoz First two sentences are correct. Third is wrong. In such situation your computer will say "Oh hello Mr President!". The problem is, that if your computer even looks at that business card, it has no way to know it's not legit. You want your computer to NOT check business cards at all, you want your computer to check the only good business-card-catalog you really trust. If your computer was somehow made into thinking that it's better to ask (hacked/spoofed) DNS server B instead of normal DNS server A, then your computer won't roll its eyes and will believe that you are the president. – quetzalcoatl – 2020-02-14T23:21:37.573

1@quetzalcoatl It's an imperfect analogy, but the third sentence is intended to address how difficult it's going to be to get a valid certificate for google.ca on your spoofed server. – ceejayoz – 2020-02-15T02:01:54.950

@ceejayoz what does a certificate have to DNS? Without http+s case would be lost. The sole fact that the computer connects to the fake google.ca proves that DNS spoofing succeeded. that's what I meant by saying that "those computers won't roll their eyes" – quetzalcoatl – 2020-02-15T02:04:21.260

1@quetzalcoatl You can point the google.ca record wherever, but wherever won't have a valid cert. As browsers will grump about things like password fields submitting to HTTP these days, it's another nail in the coffin for DNS hijacking. – ceejayoz – 2020-02-15T02:29:56.360

Great answer. But I would have bee more likely to register incrediblylongdomainnamethattakesaridiculouslylongtimetotype.com (because, who needs to time how long it takes to time something?) – TOOGAM – 2020-02-15T11:53:07.767

This is a great answer – Asteroids With Wings – 2020-02-15T23:38:08.493

... and telephone books are still a thing? I ordered the latest copy of the White Pages and the Yellow Pages four months ago. I need to do it again now that it's the new year. Shame they don't send them automatically anymore - at least the White Pages. – InterLinked – 2020-02-22T14:40:43.020

24

So my question is, what prevents me from doing the same thing for any domain in the world? As a matter of fact, I did.

The tough part is getting that data, including the NS records for your nameservers installed on the .ca name servers. They probably won't let you do that, and third parties will resolve the domain by querying name servers from the root down, so (global) root first, which gives the address to the .ca name servers, which give the address to the .google.ca name servers.

Of course, if you install those records in your organization's name servers, then anybody within your organization will see the data you set up. (Well, assuming they use the org's name servers, instead of something like 8.8.8.8 directly.) But the moment someone tries to open an HTTPS connection there, they'll get an error because no CA outside your organization will sign your keys for that domain. (which of course can then be circumvented by setting up a CA of your own within the organization, but that's a different story.)

ilkkachu

Posted 2020-02-12T20:32:05.650

Reputation: 860

4In practice, HTTPS can still be intercepted within organizational machines. If your organization is setting up organizational name servers, they are probably also distributing internal certificate authorities (e.g., using Group Policy). This still fails under certificate pinning, on condition that the pinning itself was not intercepted and discarded. Note that public key pinning is deprecated, though I believe Google Chrome hard-codes the root certificates for some of Google's domains. – Brian – 2020-02-13T14:25:54.807

3@Brian Even with pinning, browsers generally accept any non-default certificate authorities regardless of whether or not a different CA is pinned. This is done specifically to support organizational HTTPS interception, which is generally considered a valid use case. – cpast – 2020-02-14T01:05:14.893

DNS TLSA records let owner of the domain choose which certificates/CA should be accepted, per service. Unfortunately this is for more far more spread in usage in SMTP-land than in HTTP-land. – Patrick Mevzek – 2020-02-21T21:24:35.110

3

A better way to phrase the answer, I think, is to say that while you can do it, it doesn't affect the domain you create them for.

When a device attempts to connect to an IP address it performs a lookup from a number of places in order:

  1. It searches for local host file entries that tell it how to resolve the domain.
  2. If no entry is found, it then checks the domain service for the name servers set at the registrar.
  3. Those name servers then specify an authoritative DNS zone file to reference.
  4. The zone file then provides authoritative A records.

Because the zone file you created isn't in the public chain of reference for authority it won't affect public traffic.

However, it can affect local traffic in the right (or wrong) circumstances, supposing you are on a machine that for some reason checks local DNS before checking authoritative DNS (similar to specifying IP addresses for host names in a local host file), such as with mail routing. For example, if a server is set to local mail routing but the authoritative MX records point to a remote machine. Mail sent from the local machine may be routed internally rather than based on the authoritative information.

So, at best it's a waste of your time. At worst it will mess up your own stuff.

David Scott

Posted 2020-02-12T20:32:05.650

Reputation: 131

1

Try going through https://howdns.works It covers both iterative and recursive DNS and how it works, in a very fun and understandable manner. The answer pretty much outlined by Daniel has everything needed.

Mihai T.

Posted 2020-02-12T20:32:05.650

Reputation: 11

0

Things like this can be useful! I once set up the firewall to be AOL so a customer's users could get to AOL via a firewall proxy on the same TCP port.

David Pickett

Posted 2020-02-12T20:32:05.650

Reputation: 11

-1

htst would cause you problems. Browsers already know where to point traffic. The inner workings of its system is a bit unclear to me, but as this has to do with DNS record resolvement, we'll just stick to that instead, since your records aren't on an authoritative DNS, and google.ca is routed by whoever handles .ca domains to use their specified nameservers.

This would never work because the top level DNS servers that ARPA runs does not accept changes from your nameserver for a domain that they couldn't verify to be from said DNS pointed out via the .ca domain handlers routing. Therefore this would cause duplicates (not good; it could cause your domain to be revoked if they believe this was done on purpose), if the providers default nameservers handle redirection or pointing to its specified IP address.

It's a whole bunch of levels, and you have to be on the same level within its network (as the DNS record is hosted on) to carry this out and yes as someone mentioned, you would probably have to carry out DDoS attacks to force it to fallover, or some low-key hacking on the victims to use your rouge DNS.

To have its record overwritten, this could probably be done by firewall rules if the system had been compromised, again just guessing, but there could be other ways that doesn't require system access.

It's my understanding of this, there are people here with far more experience than what I have, and this is a very complicated visualisation of what is going on.

There could be several ways to bypass this for not-so-high-end domains not certified/verified for htst, but really this isn't something that should be talked about on the open web since performing this is considered basis for the worst type of cyber crime.

You would be able to use this to intercept, carrying out man in the middle sort of attacks on vulnerable domains using the same DNS as your website, just by using the same provider who also must be fairly outdated/insecure which there are plenty of.

The Internet is broken, and it's the whole reason why we have to mitigate all these faults by spending countless hours configuring even the simplest of services.

Julian

Posted 2020-02-12T20:32:05.650

Reputation: 1

3HTST - don't you mean HSTS (HTTP Strict Transport Security)? If so, HSTS will only tell the browser to updgrade the request from HTTP to HTTPS if the browser has already seen the HTTPS site or the domain is pre-loaded. DNS is not involved in this in the slightest. All it will do is force a request to http://<domain> to be automatically upgraded to https://<domain> – phuzi – 2020-02-14T11:42:55.430

What is htst? – Peter Mortensen – 2020-02-15T14:09:41.480

Asked: 2020-02-12T20:32:05.650

Viewed: 28 824 times

Active: 2020-02-24T20:18:01.783