MoinQ:

DNS/FCP/4.1

4.1 Domain Hijacking

Domain hijacking can be performed when the ‘Permissive or Island’ requirement is satisfied in tandem with‘Poisonable zone’, i.e., either the resolver is permissive or zone is an island of security and there is at least one RR in the second fragment.

In this case the attacker can replace the RR(s) in the authentic second fragment of a DNS response with (spoofed) NS or A RR(s) pointing at his name server; the TTL in those spoofed RRs has to match the TTL of the other RRs in that RRset.

Note that our domain hijacking techniques (below) trivially apply to (fragmented) DNS responses which are not protected with DNSSEC, we show such attack, exploiting queries for TXT RRs and the corresponding responses that get fragmented in full paper (the attack course is essentially similar to the attacks presented next).

We tested the domain hijacking attack in two scenarios (as elaborated above):

The ‘nxdomain/no-data’ (NSEC33) response is often fragmented in the authority section, and the additional section contains an EDNS RR.

This allows replacing the authority records in the second fragment with fake NS RRs; we show this attack in Section ../4.1.1 replacing an NSEC3 record with a spoofed NS record in the authority section in response to a request for some non-exiting domain within sec.cs.biu.ac.il, i.e., the (DNSSEC-enabled) domain of the security group of the computer science department within our university..

The ‘existing domain’ response, e.g., DNSKEY or TXT, is also often fragmented. Such responses typically contain records in the additional section too, and allow changing the IP of name server with IP of the attacker. We show this attack in Section ../4.1.2.