: Route 53 on AWS, Whats stopping me from using someone elses domain? I can look up a websites nameservers with whois, what would happen if i added a domain i didnt actually own and replaced

@Heady270

I was in the position to try this. I have two AWS accounts: one for personal use and one for work. My work account has several domains using Route 53, including some typo redirects that nobody is going to notice if I mess them up for a little while.

I logged into my personal AWS account. I added a hosted zone for a domain that already exists in my work account. Route 53 let me do this! However, Route 53 assigned different nameservers to it. The set of nameservers for the correct account are:


NS ns-1408.awsdns-48.org.
NS ns-1736.awsdns-25.co.uk.
NS ns-39.awsdns-04.com.
NS ns-812.awsdns-37.net.


Route 53 assigned a completely different set of nameservers for my hacking attempt. Route 53 did not modify the DNS entries that were on the official name servers.

Next I tried setting the NS records for the hack hosted zone to match the official. Route 53 allowed me to alter the NS record. However this did not cause the official nameservers to start serving different value.

My hack was unsuccessful. Here is a thread on the AWS forums about this topic. forums.aws.amazon.com/thread.jspa?threadID=73142 It says the same thing that I found out:


Each Route 53 zone has a unique set of name servers. Unless your domain points to any of these "rogue" DNS servers, that configuration is not going to be used.


From ServerFault's Can someone using the same DNS server as me hijack my domains? it appears that most DNS hosting companies use a policy where the first person to create records is considered the owner. They wouldn't allow another customer to add records for a domain previously owned by another customer. A representative from Digital Ocean (a hosting company) also chimed in that this type of policy usually works fine but they have procedures to handle cases where somebody per-emptively puts DNS records in place for your domain on their servers.

If you choose to use it there is also a DNS security feature called DNSSEC. Jenny D posted an excellent summary of how it helps:



You register your domain (I'll go with the eminent name wesleyisaderp.com here, just because.)
You register your name servers with your registrar, usually via a web interface that you authenticate to with a username/password combo.
You also create a public/private key pair, and you upload your public key to your registrar in the form of a DNSKEY record. (That is how the registrar can set up the chain of trust to the root servers for the top level domain - in this case, the root servers for .com.) Again, you upload this when you're logged in with your own username/password combo, so it is connected to your domain(s) and not to someone else's.
You go to the nameserver, you enter your records and you sign the resulting zone file with your private key. Or, if you've got a web interface to your DNS hosting service, you upload the private key to them so they can sign the zone file to them.
When Wesley so rudely tries to hijack your domain and CNAME it to wesleyisbetterthanyou.com, his records won't be accepted by the .com root domain servers because they aren't signed with the right key. If your DNS hosting provider is clever, they will check that right off the bat and won't even allow him to try to add records to that domain unless he's got the right private key.
When you enter your own records, they will be signed by the right key, so they will work.
You can now sit back and laugh at Wesley.



However Route 53 does not currently support DNSSEC for DNS entries:


Amazon Route 53 supports DNSSEC for domain registration but does not support DNSSEC for DNS service. If you want to configure DNSSEC for a domain that is registered with Amazon Route 53, you must use another DNS service provider.

Vote Up Vote Down