Bind 8.2.2-P5 picking up bogus .com NS list
John Coutts
administrator at yellowhead.com
Thu Aug 17 15:37:39 UTC 2000
In article <20000816131815.A17952 at zwitterion.humbug.org.au>,
suter at zwitterion.humbug.org.au says...
>
>Folks,
>
>I am one of the System Administrators at The University of
>Queensland. Yesterday evening, I noticed the following.
>
> ; <<>> DiG 2.2 <<>> @cuscus.cc.uq.edu.au com ns=20
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46126
> ;; flags: qr rd ra; Ques: 1, Ans: 1, Auth: 0, Addit: 1
> ;; QUESTIONS:
> ;; com, type =3D NS, class =3D IN
>
> ;; ANSWERS:
> com. 10427 NS myifriendsns1.webpower.com.
>
> ;; ADDITIONAL RECORDS:
> myifriendsns1.webpower.com. 85003 A 204.180.135.105
>
> ;; Total query time: 2 msec
> ;; FROM: cuscus.cc.uq.edu.au to SERVER: cuscus.cc.uq.edu.au
130.102.128.43
> ;; WHEN: Tue Aug 15 22:09:44 2000
> ;; MSG SIZE sent: 21 rcvd: 74
>
*************** SEPARATER *****************
I complained long ago about this situation long ago and couldn't get anyone to
listen. We have been hit twice, and both times the only common link was
webpower.com. The problem originates when a ficticious domain is registered and
points to a DNS that the hacker has access to. The hacker then somehow loads
the DNS records in the cache of the targeted DNS claiming to have authority for
the .com domain. When someone in your domain requests the ficticious site, it
then supplies a non-authoratative response to your DNS and replaces the
information in your cache for the .com domain. Any subsequent requests to your
DNS for a non-cached .com domain goes to one of the webpower.com servers, which
of course can't respond properly. The only cure is to set your DNS to accept
authoratative answers only.
The first time, I was able to actually duplicate the situation and recovered
the information below. The second time, the cache on the offending DNS had been
cleared before I could get to it.
J.A. Coutts
Systems Engineer
Edsonet/TravPro
---------- 6/13/2000 --------------------------------------------
16:15:07 Reply from 205.188.185.18 about A-record for www.natural38dds.com.:
16:15:07 -> Authority: NS-record for natural38dds.com. =
myifriendsns1.webpower.com.
16:15:07 -> Authority: NS-record for natural38dds.com. =
myifriendsns2.webpower.com.
16:15:07 -> Additional: A-record for myifriendsns1.webpower.com. =
204.180.135.105
16:15:07 -> Additional: A-record for myifriendsns2.webpower.com. =
207.76.82.105
16:15:07 Sending request to myifriendsns1.webpower.com. (204.180.135.105) for
A-record for www.natural38dds.com.
16:15:07 Reply from 204.180.135.105 about A-record for www.natural38dds.com.:
16:15:07 -> Answer: A-record for www.natural38dds.com. = 204.180.135.105
16:15:07 -> Authority: NS-record for com. = com.
16:15:07 -> Additional: A-record for com. = 204.180.135.105
16:15:07 Sending reply to 207.34.82.6 about A-record for
www.natural38dds.com.:
16:15:07 -> Answer: A-record for www.natural38dds.com. = 204.180.135.105
16:15:07 -> Authority: NS-record for com. = com.
16:15:07 -> Additional: A-record for com. = 204.180.135.105
16:15:30 Request from 207.34.82.130 for A-record for store.traders.com.
16:15:30 Sending request to com. (204.180.135.105) for A-record for
store.traders.com.
16:15:30 Reply from 204.180.135.105 about A-record for store.traders.com.:
16:15:30 -> Header: Name does not exist!
16:15:30 -> Authority: SOA-record for com. = com. (Serial 92)
16:15:30 Sending reply to 207.34.82.130 about A-record for
store.traders.com.:
16:15:30 -> Header: Name does not exist!
16:15:30 -> Authority: SOA-record for com. = com. (Serial 92)
----------------------------------------------
Authoritative Answer: No
Recursion Available: Yes
Answer:
No SOA-Records exist for www.natural38dds.com
Authority:
SOA-record for com. = com.
Responsible Person = root at com.
Serial Number = 92
Refresh Interval = 3 Hours
Retry Interval = 15 Minutes
Expire Interval = 7 Days
Default / Minimum TTL = 1 Day
TTL = 23 Hours, 59 Minutes, 43 Seconds
----------------------------------------------------
Authoritative Answer: No
Recursion Available: Yes
Answer:
No NS-Records exist for www.natural38dds.com
Authority:
SOA-record for com. = com.
Responsible Person = root at com.
Serial Number = 92
Refresh Interval = 3 Hours
Retry Interval = 15 Minutes
Expire Interval = 7 Days
Default / Minimum TTL = 1 Day
TTL = 1 Day
----------------------------------------------------
Authoritative Answer: No
Recursion Available: Yes
Answer:
A-record for www.natural38dds.com. = 204.180.135.105
TTL = 10 Seconds
Authority:
NS-record for com. = com.
TTL = 1 Day
Additional:
A-record for com. = 204.180.135.105
TTL = 1 Day
****************** SECOND INCIDENT ****************
-------------------- July 6, 2000 --------------------------
12:04:16 Sending request to ns2.escape.ca. (198.163.232.254) for A-record for
finelinecommunications.com.
12:04:16 Reply from 198.163.232.254 about A-record for
finelinecommunications.com.:
12:04:16 -> Authority: NS-record for com. = myifriendsns1.webpower.com.
12:04:16 -> Additional: A-record for myifriendsns1.webpower.com. =
204.180.135.105
12:04:17 ** Error: Lame delegation for finelinecommunications.com. on
ns2.escape.ca. (198.163.232.254)
12:04:17 Sending request to ns1.escape.ca. (198.163.232.253) for A-record for
finelinecommunications.com.
12:04:17 Reply from 198.163.232.253 about A-record for
finelinecommunications.com.:
12:04:17 -> Authority: NS-record for com. = myifriendsns1.webpower.com.
12:04:17 -> Additional: A-record for myifriendsns1.webpower.com. =
204.180.135.105
12:04:17 ** Error: Lame delegation for finelinecommunications.com. on
ns1.escape.ca. (198.163.232.253)
12:04:17 Sending reply to 207.34.82.5 about A-record for
finelinecommunications.com.:
12:04:17 -> Header: Server Failure.
----------------------------------------------
More information about the bind-users
mailing list