Bugtraq mailing list archives
Re: International DNS compromise?
From: john <john () pond-weed com>
Date: Thu, 5 Aug 2004 19:22:43 +0100
On Wed, 4 Aug 2004 22:11:01 -0700 (PDT) Zhen Shi <zhenshi99 () yahoo com> wrote:
Dear all, Recently I noticed something fishy in the DNS system between US and China. First, any IPs, dead or live, in China will respond to your DNS query for some domains. For example (screen shot with some clean-up and comments): C:\>nslookupserver 210.77.0.0 <=== pick a random IP inChina Default Server: [210.77.0.0] Address: 210.77.0.0www.rfa.orgServer: [210.77.0.0] Address: 210.77.0.0 Non-authoritative answer: Name: www.rfa.org Address: 203.105.1.21 <=== you got response!!!! Second, every time the response is different:www.rfa.orgServer: [210.77.0.0] Address: 210.77.0.0 Non-authoritative answer: Name: www.rfa.org Address: 64.66.163.251
<snip>
It looks like it all works OK with most domain names. But rfa.org is the sort of site the Chinese would want to censor. Evidently this is part of their strategy for doing that. This has the side-effect that you could discover the list of sites being censored by systematically comparing DNS replies from a server in China with those from an uncompromised server. John
Current thread:
- International DNS compromise? Zhen Shi (Aug 05)
- Re: International DNS compromise? john (Aug 05)
- Re: International DNS compromise? John Kinsella (Aug 05)
- <Possible follow-ups>
- Re: International DNS compromise? Troy (Aug 05)
- Re: International DNS compromise? Rio Martin. (Aug 06)
- Re: International DNS compromise? Danny (Aug 06)
- Re: International DNS compromise? John F. Waymouth (Aug 06)
- RE: International DNS compromise? travis . alexander (Aug 05)
- RE: International DNS compromise? Troy Monaghen (Aug 06)
- Re: International DNS compromise? bill (Aug 06)
- RE: International DNS compromise? Mike Clark (Aug 06)
- RE: International DNS compromise? Johan Nilsson (Aug 06)
(Thread continues...)