nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Need help in flushing DNS

From: George Herbert <george.herbert () gmail com>
Date: Fri, 21 Jun 2013 17:29:40 -0700
The indications and claim are that the root cause was registrar internal
goof, not hostile action against name servers.

The story is not yet detailed enough to add up; getting from point A to
point B requires steps that so far don't really make sense.  A more
detailed explanation is hopefully to be forthcoming...



On Fri, Jun 21, 2013 at 5:22 PM, Glen Kent <glen.kent () gmail com> wrote:


Hi,

Do we know which DNS server started leaking the poisoned entry?

Being new to this, i still dont understand how could a hacker gain access
to the DNS server and corrupt the entry there? Wouldnt it require special
admin rights, etc. to log in?

Glen


On Thu, Jun 20, 2013 at 11:32 AM, Paul Ferguson <fergdawgster () gmail com

wrote:



Hanlon's razor? Misconfiguration. Perhaps not done in malice, but I
have no idea where the poison leaked in, or why. :-)

- ferg

On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie <alex.buie () frozenfeline net>
wrote:


Anyone have news/explanation about what's happening/happened?


On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson <

fergdawgster () gmail com

wrote:


Sure enough:



 ; <<>> DiG 9.7.3 <<>> @localhost yelp.com A
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;yelp.com. IN A

 ;; ANSWER SECTION:
 yelp.com. 300 IN A 204.11.56.20

 ;; Query time: 143 msec
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ;; WHEN: Thu Jun 20 07:33:13 2013
 ;; MSG SIZE  rcvd: 42





NetRange: 204.11.56.0 - 204.11.59.255
CIDR: 204.11.56.0/22
OriginAS: AS40034
NetName: CONFLUENCE-NETWORKS--TX3
NetHandle: NET-204-11-56-0-1
Parent: NET-204-0-0-0-0
NetType: Direct Allocation
Comment: Hosted in Austin TX.
Comment: Abuse :
Comment: abuse () confluence-networks com
Comment: +1-917-386-6118
RegDate: 2012-09-24
Updated: 2012-09-24
Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1

OrgName: Confluence Networks Inc
OrgId: CN
Address: 3rd Floor, Omar Hodge Building, Wickhams
Address: Cay I, P.O. Box 362
City: Road Town
StateProv: Tortola
PostalCode: VG1110
Country: VG
RegDate: 2011-04-07
Updated: 2011-07-05
Ref: http://whois.arin.net/rest/org/CN

OrgAbuseHandle: ABUSE3065-ARIN
OrgAbuseName: Abuse Admin
OrgAbusePhone: +1-917-386-6118
OrgAbuseEmail: abuse () confluence-networks com
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN

OrgNOCHandle: NOCAD51-ARIN
OrgNOCName: NOC Admin
OrgNOCPhone: +1-415-462-7734
OrgNOCEmail: noc () confluence-networks com
OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN

OrgTechHandle: TECHA29-ARIN
OrgTechName: Tech Admin
OrgTechPhone: +1-415-358-0858
OrgTechEmail: ipadmin () confluence-networks com
OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

- ferg



On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder <

shortdudey123 () gmail com



wrote:


Yelp is evidently also affected

On Wed, Jun 19, 2013 at 10:19 PM, John Levine <johnl () iecc com>

wrote:



Reaching out to DNS operators around the globe. Linkedin.com has

had

some

issues with DNS

and would like DNS operators to flush their DNS. If you see

www.linkedin.com resolving NS to

ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.

Any other info please reach out to me off-list.


While you're at it, www.usps.com, www.fidelity.com, and other well
known sites have had DNS poisoning problems.  When I restarted my
cache, they look OK.







--
"Fergie", a.k.a. Paul Ferguson
 fergdawgster(at)gmail.com






--
"Fergie", a.k.a. Paul Ferguson
 fergdawgster(at)gmail.com








-- 
-george william herbert
george.herbert () gmail com
Previous By Date Next
Previous By Thread Next

Current thread: