nanog mailing list archives
Re: has anyone notice this ?
From: Paul Vixie <vixie () vix com>
Date: 30 Jun 2003 02:42:04 +0000
jay () west net (Jay Hennigan) writes:
Is Time-Warner associated with Charter Communications? There's a thread on Slashdot about their name servers being hijacked to point all requests to a set of rogue proxy servers.
s/name/dhcp/. specifically, the article states: Of course, under Windows, the default is to accept the default dns domain specified by a DHCP server for the PC's ethernet connection. There are settings to disable this, but I hadn't thought about it until now. It turns out, Charter Communications' DHCP servers were infiltrated and were providing p5115.tdko.com as the 'Connection-specific DNS suffix', causing all non-hardened Windows (whatever that means in a Windows context) machines to get lookups from a hijacked subdomain DNS server which simply responded to every query with a set of 3 addresses (66.220.17.45, 66.220.17.46, 66.220.17.47). ... i suspect that a dhcp client's willingness to install a "dns search list" from the dhcp reply is universal (and not just limited to windows clients) and i've always thought this was a terrible idea. if i type "ssh foo" then i want foo.vix.com, no matter who the local dhcp server was configured by. but when i went about removing this sick behaviour from isc dhcp, it turned out that many people depend on dhcp to get the only "dns search list" they ever have. the world seems very strange to me sometimes. -- Paul Vixie
Current thread:
- has anyone notice this ? Vicky Rode (Jun 28)
- Re: has anyone notice this ? Jay Hennigan (Jun 28)
- RE: has anyone notice this ? Vicky Rode (Jun 28)
- RE: has anyone notice this ? David A. Ulevitch (Jun 28)
- RE: has anyone notice this ? Vicky Rode (Jun 28)
- RE: has anyone notice this ? Todd Mitchell - lists (Jun 28)
- RE: has anyone notice this ? Vicky Rode (Jun 29)
- RE: has anyone notice this ? Vicky Rode (Jun 28)
- Re: has anyone notice this ? Jay Hennigan (Jun 28)
- RE: has anyone notice this ? Jay Hennigan (Jun 28)
- RE: has anyone notice this ? Vicky Rode (Jun 29)
- RE: has anyone notice this ? Jay Hennigan (Jun 29)
- Re: has anyone notice this ? Paul Vixie (Jun 29)
- User security or ISP security (was RE: has anyone notice this ?) Sean Donelan (Jun 30)
- Re: has anyone notice this ? Scott Francis (Jun 30)