Bugtraq mailing list archives
Re: International DNS compromise?
From: "Troy" <tjk () tksoft com>
Date: Thu, 5 Aug 2004 10:49:39 -0700 (PDT)
It's probably the ISP you are using. They are intercepting DNS requests and returning their own replies. It could be something malicious, but it could just as well be the ISP saving bandwidth by caching DNS queries. If they cache DNS queries they probably cache www queries as well. This is very common among ISPs outside the U.S., since traffic out of the country tends to be a lot more expensive than domestic traffic. DNS is only as trustworthy as the companies who control your network and those networks connected to it. The same is true in China and everywhere else, including the U.S. Troy
Dear all, Recently I noticed something fishy in the DNS system between US and China. First, any IPs, dead or live, in China will respond to your DNS query for some domains. For example (screen shot with some clean-up and comments): C:\>nslookupserver 210.77.0.0 <=== pick a random IP inChina Default Server: [210.77.0.0] Address: 210.77.0.0www.rfa.orgServer: [210.77.0.0] Address: 210.77.0.0 Non-authoritative answer: Name: www.rfa.org Address: 203.105.1.21 <=== you got response!!!! Second, every time the response is different:www.rfa.orgServer: [210.77.0.0] Address: 210.77.0.0 Non-authoritative answer: Name: www.rfa.org Address: 64.66.163.251www.rfa.orgNon-authoritative answer: Name: www.rfa.org Address: 64.33.99.47www.rfa.orgNon-authoritative answer: Name: www.rfa.org Address: 128.121.126.139 Third, you can even get response from non-exist host names:nosuchhost.rfa.orgServer: [210.77.0.0] Address: 210.77.0.0 Non-authoritative answer: Name: nosuchhost.rfa.org Address: 65.104.202.252nosuchhost.rfa.orgNon-authoritative answer: Name: nosuchhost.rfa.org Address: 64.33.99.47 What on earth is really going on here? It seems the DNS system is messed up between US and China, and its integrity is compromised. People can be unknowingly redirected to any where ... --Zhen __________________________________ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo
Current thread:
- International DNS compromise? Zhen Shi (Aug 05)
- Re: International DNS compromise? john (Aug 05)
- Re: International DNS compromise? John Kinsella (Aug 05)
- <Possible follow-ups>
- Re: International DNS compromise? Troy (Aug 05)
- Re: International DNS compromise? Rio Martin. (Aug 06)
- Re: International DNS compromise? Danny (Aug 06)
- Re: International DNS compromise? John F. Waymouth (Aug 06)
- RE: International DNS compromise? travis . alexander (Aug 05)
- RE: International DNS compromise? Troy Monaghen (Aug 06)
- Re: International DNS compromise? bill (Aug 06)
- RE: International DNS compromise? Mike Clark (Aug 06)
- RE: International DNS compromise? Johan Nilsson (Aug 06)
- Re: International DNS compromise? Troy (Aug 06)