[rdancer]

I can imagine that such an attack would be dealt with a mix of manual intervention and technical measures, something in between the Google.com search page outage that happens once in a blue moon, and the false routes for YouTube.com IPs that have been propagated several times during the past few years.

Big companies that rely on Internet presence are quite pro-active, and there are teams of people whose job is to prevent something like this from happening in the first place.

DNS is not a secure protocol, and you can redirect connections intended for google.com from the same local network easily, yet the world still keeps turning.

[bobajeff]

>there are teams of people whose job is to prevent something like this from happening in the first place.

Reading that along with the rest of this thread reminds me just how bad it is to have so much of the internet rely on large sites like this. The amount of trust and dependency that rests on Google is very dangerous. The amount of damage to the world that could result in a failure of their service is beyond imagination.

[ethbro]

On the other hand, it lets them do things like certificate pinning for themselves in their own browser, no? So, good and bad.

[forgottenpass]

Chrome could ship pinned certs for whatever sites they want to cooperate with.

Vertical integration just means that Chrome cooperates more with Google's webadmins than Twitter's.

[_RPM]

How exactly would that work. modify an instance of bind and check if the client is requesting to resolve 'google.com'? If true, then respond with the rouge IP? First we must make sure the client machine is set up to use our name servers, the ones we have control over.

[seanp2k2]

You can just set up the zones in e.g. Your local network nameserver to say it's authoritative for google.com then send the traffic to wherever you want. Many companies do this on a large scale on their internal networks for the purpose of having easy-to-use names (that can have the nodes behind them changed out without changing anything else) using, mostly for backward-compatibility or legacy reasons, the same domains / zones that may resolve externally to different RRsets. This is known as split-horizon DNS: https://en.m.wikipedia.org/wiki/Split-horizon_DNS

[coldpie]

Never use a rouge IP. They're red for a reason, man.

[dlo83]

I'm glad someone else picked up on that! :)

[tracker1]

You don't even need to setup the client, if you have control over any number of intermediate routers, you can snag/reroute port 53 tcp/udp traffic any way you like. I tend to setup my home router to do this, so that all open dns traffic goes where I tell it to.

It's also advised to do so for unauthenticated users on shared/public wifi so that you can provide an agreement page/site. Also, so that unauthenticated users can't use DNS as a tunnel method, which is pretty damned cool, but insecure.

[userbinator]

Also, so that unauthenticated users can't use DNS as a tunnel method, which is pretty damned cool, but insecure.

You can put TLS into a DNS tunnel too, it's just even slower.

[icebraining]

I've done TCP-over-SSH-over-DNS many times (using iodine and sshuttle) and it was actually surprisingly usable! I could get over 200Kbps downstream. Iodine uses NULL requests -if allowed by the recursive DNS server- which can fit 1KB+ per request/reply.

[_RPM]

I've set up my laptop to go to my home internal server (old laptop) for DNS. My quality-of-development-environment has increased because I can associate any internal in development app I want with a hostname tied to my internal DNS prefix. Very useful for setting up nginx for multiple applications.

[ersoft]

You can do it locally with dnsmasq or using xip.io, without an extra server.

[colechristensen]

You can do it by listening in promiscuous mode and injecting packets into the network pretending to be the DNS server.

You can also setup a rouge DHCP server that sends a different DNS address.

There are likewise many other methods.