Full Disclosure mailing list archives
Re: OpenDNS is acting improperly !!!
From: Jamie Riden <jamie.riden () gmail com>
Date: Sun, 1 Aug 2010 23:53:00 +0100
Yes, I believe anything which should be an NXDOMAIN from openDNS will get returned as an IP address of their web search service page. I don't particularly like it, but then I've always been a non-paying user of openDNS when I have required them, so I don't like to moan too loudly. It's arguably a good thing when they subvert the actual DNS responses for known malware sites, so the whole service may not be the one for DNS purists. I don't think it's quite the same as when Verisign did it, because we've all got a choice whether to use openDNS or not. And I suspect most of us use it free. So, as you say, choose another provider or use the BIND wildcard/fake NXDOMAIN patch. cheers, Jamie On 31 July 2010 18:03, Paulo Cesar Breim (PCB) <paulo () breim com br> wrote:
NSLookup has the same problem. Always return opendns IP. paulo On 31/07/2010, at 04:05, Jardel Weyrich wrote: NXDOMAIN manipulation is an old concern. I believe it's being redirected for a long time now, but they allow registered users to opt-out, afaik. And there are many ISPs practicing this. Additionally, if they're only manipulating A and AAAA records for NXDOMAIN responses, there should be no problem for an application that relies on existing domains. SERVFAIL must NOT be manipulated though. Why are you using ping? Use nslookup and/or dig. Here's a patch for BIND that allows you to BLACKLIST the IP addresses of the fake servers - http://sam.zoy.org/writings/internet/verisign/ And here's a draft on this matter - http://tools.ietf.org/html/draft-livingood-dns-redirect-00 Concluding, I'm not defending their approach - I don't like it too ;-) -- jardel On Fri, Jul 30, 2010 at 7:23 PM, Paulo Cesar Breim <paulo () breim com br> wrote:Dear everyone, People who have changed their DNS Server to use the popular OpenDNS (208.67.222.222; 208.67.220.220) are victims of a dangerous decision taken by OpenDNS. When a user tries to access a non-existing host, OpenDNS manipulates the result and provides the user with its own IP address. For example: Let us try to find the following server: “microsoft.apple.com” If you are using OpenDNS and ping the above server this is what you get: =================== PING microsoft.apple.com (67.215.65.132): 56data bytes 64 bytes from 67.215.65.132: icmp_seq=0 ttl=49 time=192.743 ms 64 bytes from 67.215.65.132: icmp_seq=1 ttl=49 time=194.997 ms 64 bytes from 67.215.65.132: icmp_seq=2 ttl=49 time=200.954 ms ^C --- microsoft.apple.com ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 192.743/196.231/200.954/3.464 ms =================== OpenDNS is telling the user that the server “microsoft.apple.com” not only exists but its IP address is 67.215.65.132 !!! ..and who is this IP? it is OPENDNS-NET-3. If, instead, you use Google’s DNS and ping the above server, this is what you get: =================== PCB-2:~ paulo$ ping microsoft.apple.com ping: cannot resolve microsoft.apple.com: Unknown host PCB-2:~ paulo$ =================== Which is the most adequate reply from the DNS server. So my suggestion is that you should select and use a TRUE DNS Server. Paulo Cesar Breim People who have changed their DNS Server to use the popular OpenDNS (208.67.222.222; 208.67.220.220) are victims of a dangerous decision taken by OpenDNS. When a user tries to access a non-existing host, OpenDNS manipulates the result and provides the user with its own IP address. For example: Let us try to find the following server: “microsoft.apple.com” If you are using OpenDNS and ping the above server this is what you get: =================== PING microsoft.apple.com (67.215.65.132): 56data bytes 64 bytes from 67.215.65.132: icmp_seq=0 ttl=49 time=192.743 ms 64 bytes from 67.215.65.132: icmp_seq=1 ttl=49 time=194.997 ms 64 bytes from 67.215.65.132: icmp_seq=2 ttl=49 time=200.954 ms ^C --- microsoft.apple.com ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 192.743/196.231/200.954/3.464 ms =================== OpenDNS is telling the user that the server “microsoft.apple.com” not only exists but its IP address is 67.215.65.132 !!! ..and who is this IP? it is OPENDNS-NET-3. If, instead, you use Google’s DNS and ping the above server, this is what you get: =================== PCB-2:~ paulo$ ping microsoft.apple.com ping: cannot resolve microsoft.apple.com: Unknown host PCB-2:~ paulo$ =================== Which is the most adequate reply from the DNS server. So my suggestion is that you should select and use a TRUE DNS Server. Paulo Cesar Breim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Jamie Riden / jamie () honeynet org / jamie.riden () gmail com http://uk.linkedin.com/in/jamieriden _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: OpenDNS is acting improperly !!! Paulo Cesar Breim (PCB) (Aug 01)
- Re: OpenDNS is acting improperly !!! bk (Aug 02)
- Message not available
- Re: OpenDNS is acting improperly !!! bk (Aug 02)
- Re: OpenDNS is acting improperly !!! Valdis . Kletnieks (Aug 02)
- Message not available
- Re: OpenDNS is acting improperly !!! bk (Aug 02)
- Re: OpenDNS is acting improperly !!! Jamie Riden (Aug 02)
- Re: OpenDNS is acting improperly !!! is it safe (Aug 02)