Re: International DNS compromise?

[<bill () dit-inc us>]

In-Reply-To: <20040805192243.7826e6b9.john () pond-weed com>

This is from China's "Great Firewall" sniffering their 54Gbps International traffic. 

I presented some detailes at the HOPE conference in NYC last month. I posted the presentaion here: 
http://www.dit-inc.us/report/hope2004/cover.htm (click on the image to get in)

Regarding this DNS hijacking thing, it is worth mentioning that root DNS server in China may hijack query from 
neighbouring countries as well.

The black list for DNS hijacking is very small. TCP session hijacking list is longer, IP blocking blacklist is the 
longest.

Bill

> Received: (qmail 28891 invoked from network); 5 Aug 2004 18:45:36 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 5 Aug 2004 18:45:36 -0000
> Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 03627236F36; Thu,  5 Aug 2004 12:47:21 -0600 (MDT)
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 28021 invoked from network); 5 Aug 2004 12:14:21 -0000
> Date: Thu, 5 Aug 2004 19:22:43 +0100
> From: john <john () pond-weed com>
> To: bugtraq () securityfocus com
> Subject: Re: International DNS compromise?
> Message-Id: <20040805192243.7826e6b9.john () pond-weed com>
> In-Reply-To: <20040805051101.18767.qmail () web13702 mail yahoo com>
> References: <Pine.LNX.4.58.0407232020010.3889 () pluto physik uni-wuerzburg de>
>       <20040805051101.18767.qmail () web13702 mail yahoo com>
> X-Mailer: Sylpheed version 0.8.11claws (GTK+ 1.2.10; i686-pc-linux-gnu)
> Mime-Version: 1.0
> Content-Type: text/plain; charset=US-ASCII
> Content-Transfer-Encoding: 7bit
>
> On Wed, 4 Aug 2004 22:11:01 -0700 (PDT)
> Zhen Shi <zhenshi99 () yahoo com> wrote:
>
> > Dear all,
> >   Recently I noticed something fishy in the DNS system
> > between US and China. 
> >   First, any IPs, dead or live, in China will respond
> > to your DNS query for some domains. For example
> > (screen shot with some clean-up and comments): 
> >
> > C:\>nslookup
> >
> > > server 210.77.0.0     <=== pick a random IP     in
> > China 
> > Default Server:  [210.77.0.0]
> > Address:  210.77.0.0
> >
> > > www.rfa.org
> > Server:  [210.77.0.0]
> > Address:  210.77.0.0
> >
> > Non-authoritative answer:
> > Name:    www.rfa.org
> > Address:  203.105.1.21  <=== you got response!!!!
> >
> >   Second, every time the response is different: 
> >
> > > www.rfa.org
> > Server:  [210.77.0.0]
> > Address:  210.77.0.0
> >
> > Non-authoritative answer:
> > Name:    www.rfa.org
> > Address:  64.66.163.251
>
> > <snip>
>
> It looks like it all works OK with most domain names. But rfa.org is the
> sort of site the Chinese would want to censor. Evidently this is part of
> their strategy for doing that.
>
> This has the side-effect that you could discover the list of sites being
> censored by systematically comparing DNS replies from a server in China
> with those from an uncompromised server.
>
> John