Is this a DNS security hole?
Joern Heissler
joern at heissler.de
Fri Apr 30 20:47:45 UTC 2004
On Fri, Apr 30, 2004 at 05:59:23PM +0000, Ivan Yonge wrote:
> First of all, I am not an expert in DNS... that's why I am here to ask for
> help. don't laugh at me if I am wrong.
>
> I have tested this with my domain, this seems like a security hole to me..My
> domain is registered with Register.com
>
> 1. Go to Register.com, login to my account (say "mycompany.com", doesn't
> matter)
> 2. Add a new DNS entry
> 3. They will ask for HOST NAME and IP ADDRESS (they used to ask HOST name
> only, not IP).
> 4. type host="testing.victim.com" (the host of the victim)
> 5. type ip = "24.102.80.12" (the IP address I want to point to, I just make
> it up)
> 6. submit
> 7. After 24 hours, all the world's DNS server will resolve
> testing.victim.com as 24.102.80.12. If you PING testing.victim.com from any
> server in the world, say network-tools.com gives you 24.102.80.12
>
> This is not good, now "testing.victim.com" is tied to the IP address, it
> doesn't even try to resolve it from "victim.com" 's DNS server..... why is
> this happening?? I have used http://network-tools.com/nslook/Default.asp
> to verify my result..
>
> If this is true, anyone can hijack other people's domain name using DNS and
> point to his IP address? this is scary..
>
> Help..
>
>
>
>
>
>
Hi Ivan,
I'm unable to check this, for I don't have an register.com account.
if you're right (which I hope you aren't!) I can think of these
possibilities:
- register.com has access to the NS of victim.com (e.g. victim.com's NS
is ns.register.com)
- register.com makes the entries in the gtld servers (root servers for
.com tld)
Technically this is possible and is not unusual (e.g. add an A record for
ns.victim.com)
is victim.com registered through register.com too? If not, it's a
*very* serious problem, since any .com registrar could add arbitrary
DNS records to arbitrary domains.
When it is registered through register.com, it's only their security
bug.
hth :)
br
Joern Heissler
More information about the bind-users
mailing list