Bind 8.2.2-P5 picking up bogus .com NS list

John Coutts administrator at yellowhead.com
Thu Aug 17 15:37:39 UTC 2000



In article <20000816131815.A17952 at zwitterion.humbug.org.au>, 
suter at zwitterion.humbug.org.au says...
>
>Folks,
>
>I am one of the System Administrators at The University of
>Queensland.  Yesterday evening, I noticed the following.
>
>    ; <<>> DiG 2.2 <<>> @cuscus.cc.uq.edu.au com ns=20
>    ;; res options: init recurs defnam dnsrch
>    ;; got answer:
>    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46126
>    ;; flags: qr rd ra; Ques: 1, Ans: 1, Auth: 0, Addit: 1
>    ;; QUESTIONS:
>    ;;      com, type =3D NS, class =3D IN
>
>    ;; ANSWERS:
>    com.    10427   NS      myifriendsns1.webpower.com.
>
>    ;; ADDITIONAL RECORDS:
>    myifriendsns1.webpower.com.     85003   A       204.180.135.105
>
>    ;; Total query time: 2 msec
>    ;; FROM: cuscus.cc.uq.edu.au to SERVER: cuscus.cc.uq.edu.au  
130.102.128.43
>    ;; WHEN: Tue Aug 15 22:09:44 2000
>    ;; MSG SIZE  sent: 21  rcvd: 74
>
*************** SEPARATER *****************
I complained long ago about this situation long ago and couldn't get anyone to 
listen. We have been hit twice, and both times the only common link was 
webpower.com. The problem originates when a ficticious domain is registered and 
points to a DNS that the hacker has access to. The hacker then somehow loads 
the DNS records in the cache of the targeted DNS claiming to have authority for 
the .com domain. When someone in your domain requests the ficticious site, it 
then supplies a non-authoratative response to your DNS and replaces the 
information in your cache for the .com domain. Any subsequent requests to your 
DNS for a non-cached .com domain goes to one of the webpower.com servers, which 
of course can't respond properly. The only cure is to set your DNS to accept 
authoratative answers only.

The first time, I was able to actually duplicate the situation and recovered 
the information below. The second time, the cache on the offending DNS had been 
cleared before I could get to it.

J.A. Coutts
Systems Engineer
Edsonet/TravPro
---------- 6/13/2000 --------------------------------------------
16:15:07   Reply from 205.188.185.18 about A-record for www.natural38dds.com.:
16:15:07   -> Authority: NS-record for natural38dds.com. = 
myifriendsns1.webpower.com.
16:15:07   -> Authority: NS-record for natural38dds.com. = 
myifriendsns2.webpower.com.
16:15:07   -> Additional: A-record for myifriendsns1.webpower.com. = 
204.180.135.105
16:15:07   -> Additional: A-record for myifriendsns2.webpower.com. = 
207.76.82.105
16:15:07   Sending request to myifriendsns1.webpower.com. (204.180.135.105) for 
A-record for www.natural38dds.com.
16:15:07   Reply from 204.180.135.105 about A-record for www.natural38dds.com.:
16:15:07   -> Answer: A-record for www.natural38dds.com. = 204.180.135.105
16:15:07   -> Authority: NS-record for com. = com.
16:15:07   -> Additional: A-record for com. = 204.180.135.105
16:15:07   Sending reply to 207.34.82.6 about A-record for 
www.natural38dds.com.:
16:15:07   -> Answer: A-record for www.natural38dds.com. = 204.180.135.105
16:15:07   -> Authority: NS-record for com. = com.
16:15:07   -> Additional: A-record for com. = 204.180.135.105

16:15:30   Request from 207.34.82.130 for A-record for store.traders.com.
16:15:30   Sending request to com. (204.180.135.105) for A-record for 
store.traders.com.
16:15:30   Reply from 204.180.135.105 about A-record for store.traders.com.:
16:15:30   -> Header: Name does not exist!
16:15:30   -> Authority: SOA-record for com. = com. (Serial 92)
16:15:30   Sending reply to 207.34.82.130 about A-record for 
store.traders.com.:
16:15:30   -> Header: Name does not exist!
16:15:30   -> Authority: SOA-record for com. = com. (Serial 92)
----------------------------------------------
Authoritative Answer: No
Recursion Available: Yes

Answer:
No SOA-Records exist for www.natural38dds.com

Authority:
SOA-record for com. = com.
    Responsible Person = root at com.
    Serial Number = 92
    Refresh Interval = 3 Hours
    Retry Interval = 15 Minutes
    Expire Interval = 7 Days
    Default / Minimum TTL = 1 Day
    TTL = 23 Hours, 59 Minutes, 43 Seconds
----------------------------------------------------

Authoritative Answer: No
Recursion Available: Yes

Answer:
No NS-Records exist for www.natural38dds.com

Authority:
SOA-record for com. = com.
    Responsible Person = root at com.
    Serial Number = 92
    Refresh Interval = 3 Hours
    Retry Interval = 15 Minutes
    Expire Interval = 7 Days
    Default / Minimum TTL = 1 Day
    TTL = 1 Day

----------------------------------------------------
Authoritative Answer: No
Recursion Available: Yes

Answer:
A-record for www.natural38dds.com. = 204.180.135.105
    TTL = 10 Seconds

Authority:
NS-record for com. = com.
    TTL = 1 Day

Additional:
A-record for com. = 204.180.135.105
    TTL = 1 Day
****************** SECOND INCIDENT ****************
-------------------- July 6, 2000 --------------------------
12:04:16   Sending request to ns2.escape.ca. (198.163.232.254) for A-record for 
finelinecommunications.com.
12:04:16   Reply from 198.163.232.254 about A-record for 
finelinecommunications.com.:
12:04:16   -> Authority: NS-record for com. = myifriendsns1.webpower.com.
12:04:16   -> Additional: A-record for myifriendsns1.webpower.com. = 
204.180.135.105
12:04:17   ** Error: Lame delegation for finelinecommunications.com. on 
ns2.escape.ca. (198.163.232.254)
12:04:17   Sending request to ns1.escape.ca. (198.163.232.253) for A-record for 
finelinecommunications.com.
12:04:17   Reply from 198.163.232.253 about A-record for 
finelinecommunications.com.:
12:04:17   -> Authority: NS-record for com. = myifriendsns1.webpower.com.
12:04:17   -> Additional: A-record for myifriendsns1.webpower.com. = 
204.180.135.105
12:04:17   ** Error: Lame delegation for finelinecommunications.com. on 
ns1.escape.ca. (198.163.232.253)
12:04:17   Sending reply to 207.34.82.5 about A-record for 
finelinecommunications.com.:
12:04:17   -> Header: Server Failure.
----------------------------------------------



More information about the bind-users mailing list