Google public DNS hijacked briefly


Google’s public DNS server traffic was briefly hijacked recently, causing users in Brazil and Latin America to be redirected to telecommunication giants BT. This issue occurred on March 16th for a period of 22 minutes and only affected users in the Latin America countries, redirecting genuine traffic through to sites belonging to the British Telecomm’s Latin America division.

Internet traffic from the affected networks is redirected to telcomms giant BT sites.

Internet traffic from the affected networks is redirected to telcomms giant BT sites.

Correct use of Domain Name System (DNS) is an absolute necessity on the Internet and allows mapping of web addresses to a human readable form. For example, web addresses such as are aligned with their real, yet highly secretive IP addresses in order to allow humans to interact with the Internet in a more logical fashion. Simply put, DNS allows a lookup of the web address human readable form ( to the Internet Protocol (IP) address of where that web server actually resides (an IPv6 address such as 2001:4860:4860::8888). While this method does allow ease of indexing for sites, it is also a common target for attackers to poision, or alter values, in order to redirect genuine traffic elsewhere.

This attack is known as a man-in-the-middle attack, or DNS poisioning. An attacker will compromise the public DNS servers that are used to route traffic from, say, to its intended IP address on the Internet. The attack will then inject different IP addresses for that legitimate address to redirect traffic to their own sites. In the case of Google’s public DNS being hijacked, this may have occurred due to Border Gateway Protocol (BGP) hijacking, as reported by BGPmon on March 16th. BGPmon stated that Google’s public DNS server,, had been hijacked for Internet users in Brazil and Venezuela for up to 22 minutes. The attackers had compromised the public DNS server and injected IP addresses for web servers belonging to British Telecomm’s Latin America division, and therefore all legitimate traffic had been redirected to these sites.

BGPmon identified an attack against Google's public DNS servers, affecting networks in Brazil and Venezuela

BGPmon identified an attack against Google’s public DNS servers, affecting networks in Brazil and Venezuela

As expected, this had a major impact on the networks affected. Google’s public DNS servers handle requests for up to 130 billion DNS queries, from more than 70 million IP addresses, on a daily basis. Google’s public DNS servers are most widely used in the world and allow Internet users to look up addresses quickly and efficiently. An attack against these servers is likely to lead to disruption to normal activities for many users located in the Southern American territories.

Although Google has utilised Domain Name System Security Extensions (DNSSEC) for many of its DNS servers, most companies have failed to follow in Google’s footsteps – leaving themselves vulnerable to both Distributed Denial of Service (DDoS) attacks and DNS cache poisoning attacks.

In this scenario, the attack against BGP would not have been trivial. The attacker would have required control of a router for a major southern American Internet Service Provider (ISP). However sophisticated, the attack did not appear to serve any specific purpose or intentions to harvest traffic to a site containing malware or ransomware, for example. Often, these type of attacks are designed to route users to a website containing malware or for financial gain. This, however, simply denied users accessing the Internet, instead redirecting to BT’s main sites. With this in mind, it may be that this was simply an accidental wrong configuration of a router by a major ISP. While this wouldn’t be the first time this has happened, it is a major wake up call for how easily traffic can be redirected through limited means.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *