nanog mailing list archives
Re: Level(3) DNS Spoofing All Domains
From: Brandon Martin <lists.nanog () monmotha net>
Date: Tue, 19 Nov 2019 11:08:09 -0500
On 11/18/19 12:45 PM, Marshall, Quincy wrote:
I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.
As far as I know, this has been going on for quite some time at least for folks not on Level3. I know I've seen it as far back as 5-7 years ago from various vantage points.
I guess it's also possible somebody was intercepting those well known anycast addresses between me and Level3, but the "search guide" it redirected to didn't implicate any obvious suspects.
It fails DNSSEC checking, of course, so if you have DNSSEC validation turned on at your recursive resolver, you should get something else (probably SERVFAIL).
-- Brandon Martin
Current thread:
- Level(3) DNS Spoofing All Domains Marshall, Quincy (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Pierre Emeriaud (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Patrick Schultz (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Matthew Pounsett (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Mel Beckman (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Christopher Morrow (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Matthew Pounsett (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Brandon Martin (Nov 19)
- RE: Level(3) DNS Spoofing All Domains Ryan, Spencer (Nov 19)
- RE: Level(3) DNS Spoofing All Domains Marshall, Quincy (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Mike Bolitho (Nov 19)
- RE: Level(3) DNS Spoofing All Domains Marshall, Quincy (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Mike Bolitho (Nov 19)
- RE: Level(3) DNS Spoofing All Domains Marshall, Quincy (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Billy Crook (Nov 19)