RE: Level(3) DNS Spoofing All Domains

["Ryan, Spencer" <spencer.ryan () netscout com>]

Are you a CL/L3 customer? Those resolvers have only ever been for “customers” even though they would resolve for 
anyone. They started injecting NXDOMAIN redirects a while ago for non-customers.


From: NANOG <nanog-bounces () nanog org> On Behalf Of Marshall, Quincy
Sent: Monday, November 18, 2019 12:45 PM
Subject: Level(3) DNS Spoofing All Domains

This message originated outside of NETSCOUT. Do not click links or open attachments unless you recognize the sender and 
know the content is safe.
This is mostly informational and may have already hit this group. My google-foo failed me if so.

I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins 
with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.

[root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
23.202.231.167
23.217.138.108

My apologies if this is old news.

Lawrence Q. Marshall


________________________________
This email has been scanned for email related threats and delivered safely by Mimecast.
For more information please visit 
http://www.mimecast.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mimecast.com&d=DwMFaQ&c=Hlvprqonr5LuCN9TN65xNw&r=VfFQaWKwN0L3efDXtkWoSUKlJtu8LJ9Ke5bevkfX6C0&m=q6vn3t-QWxYOtFEQ5UhCttLDcerYncizhmA0BXauzSg&s=0udD7os_Gb1eyxuW47ezLZB2f-gk_Ipxso3m4n80kqg&e=>
________________________________