Bugtraq mailing list archives

Re: International DNS compromise?

From: "Troy" <tjk () tksoft com>
Date: Thu, 5 Aug 2004 10:49:39 -0700 (PDT)

It's probably the ISP you are using.
They are intercepting DNS requests and returning their
own replies. It could be something malicious, but it could
just as well be the ISP saving bandwidth by caching DNS queries.
If they cache DNS queries they probably cache www queries as
well. This is very common among ISPs outside the U.S., since
traffic out of the country tends to be a lot more expensive
than domestic traffic.

DNS is only as trustworthy as the companies who control
your network and those networks connected to it. The same
is true in China and everywhere else, including the U.S.



Troy


Dear all,
  Recently I noticed something fishy in the DNS system
between US and China. 
  First, any IPs, dead or live, in China will respond
to your DNS query for some domains. For example
(screen shot with some clean-up and comments): 

C:\>nslookup

server 210.77.0.0     <=== pick a random IP     in

China 
Default Server:  [210.77.0.0]
Address:  210.77.0.0

www.rfa.org

Server:  [210.77.0.0]
Address:  210.77.0.0

Non-authoritative answer:
Name:    www.rfa.org
Address:  203.105.1.21  <=== you got response!!!!

  Second, every time the response is different:

www.rfa.org

Server:  [210.77.0.0]
Address:  210.77.0.0

Non-authoritative answer:
Name:    www.rfa.org
Address:  64.66.163.251

www.rfa.org


Non-authoritative answer:
Name:    www.rfa.org
Address:  64.33.99.47

www.rfa.org


Non-authoritative answer:
Name:    www.rfa.org
Address:  128.121.126.139

 Third, you can even get response from non-exist host
names:

nosuchhost.rfa.org

Server:  [210.77.0.0]
Address:  210.77.0.0

Non-authoritative answer:
Name:    nosuchhost.rfa.org
Address:  65.104.202.252

nosuchhost.rfa.org


Non-authoritative answer:
Name:    nosuchhost.rfa.org
Address:  64.33.99.47

  What on earth is really going on here? It seems the
DNS system is messed up between US and China, and its
integrity is compromised. People can be unknowingly
redirected to any where ... 

--Zhen



              
__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo

Current thread:

International DNS compromise? Zhen Shi (Aug 05)
- Re: International DNS compromise? john (Aug 05)
- Re: International DNS compromise? John Kinsella (Aug 05)
- <Possible follow-ups>
- Re: International DNS compromise? Troy (Aug 05)
  - Re: International DNS compromise? Rio Martin. (Aug 06)
  - Re: International DNS compromise? Danny (Aug 06)
  - Re: International DNS compromise? John F. Waymouth (Aug 06)
- RE: International DNS compromise? travis . alexander (Aug 05)
  - RE: International DNS compromise? Troy Monaghen (Aug 06)
- Re: International DNS compromise? bill (Aug 06)
- RE: International DNS compromise? Mike Clark (Aug 06)
- RE: International DNS compromise? Johan Nilsson (Aug 06)
- Re: International DNS compromise? Troy (Aug 06)