nanog mailing list archives

Re: Level(3) DNS Spoofing All Domains

From: Mike Bolitho <mikebolitho () gmail com>
Date: Tue, 19 Nov 2019 10:49:17 -0700

This is was my thought as well. People always get up in arms about how it's
"Public DNS!" but it's really not. It's just well known and used because
it's easy to remember.

- Mike Bolitho


On Tue, Nov 19, 2019 at 9:28 AM Ryan, Spencer <spencer.ryan () netscout com>
wrote:

Are you a CL/L3 customer? Those resolvers have only ever been for
“customers” even though they would resolve for anyone. They started
injecting NXDOMAIN redirects a while ago for non-customers.





*From:* NANOG <nanog-bounces () nanog org> *On Behalf Of *Marshall, Quincy
*Sent:* Monday, November 18, 2019 12:45 PM
*Subject:* Level(3) DNS Spoofing All Domains



This message originated outside of NETSCOUT. Do not click links or open
attachments unless you recognize the sender and know the content is safe.

This is mostly informational and may have already hit this group. My
google-foo failed me if so.



I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are
spoofing all domains. If the hostname begins with a “w” and does not exist
in the authoritative zone these hosts will return two Akamai hosts.



[root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2

23.202.231.167

23.217.138.108

[root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2

23.202.231.167

23.217.138.108

[root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2

23.202.231.167

23.217.138.108

[root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2

23.202.231.167

23.217.138.108



My apologies if this is old news.



*Lawrence Q. Marshall*




------------------------------

This email has been scanned for email related threats and delivered safely
by Mimecast.
For more information please visit http://www.mimecast.com
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mimecast.com&d=DwMFaQ&c=Hlvprqonr5LuCN9TN65xNw&r=VfFQaWKwN0L3efDXtkWoSUKlJtu8LJ9Ke5bevkfX6C0&m=q6vn3t-QWxYOtFEQ5UhCttLDcerYncizhmA0BXauzSg&s=0udD7os_Gb1eyxuW47ezLZB2f-gk_Ipxso3m4n80kqg&e=>
------------------------------

Current thread:

Level(3) DNS Spoofing All Domains Marshall, Quincy (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Pierre Emeriaud (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Patrick Schultz (Nov 19)
  - Re: Level(3) DNS Spoofing All Domains Matthew Pounsett (Nov 19)
    - Re: Level(3) DNS Spoofing All Domains Mel Beckman (Nov 19)
    - Re: Level(3) DNS Spoofing All Domains Christopher Morrow (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Brandon Martin (Nov 19)
- RE: Level(3) DNS Spoofing All Domains Ryan, Spencer (Nov 19)
  - RE: Level(3) DNS Spoofing All Domains Marshall, Quincy (Nov 19)
  - Re: Level(3) DNS Spoofing All Domains Mike Bolitho (Nov 19)
    - RE: Level(3) DNS Spoofing All Domains Marshall, Quincy (Nov 19)
    - Re: Level(3) DNS Spoofing All Domains Mike Bolitho (Nov 19)
    - RE: Level(3) DNS Spoofing All Domains Marshall, Quincy (Nov 19)
    - Re: Level(3) DNS Spoofing All Domains Billy Crook (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Cary Wiedemann (Nov 19)
- Re: Level(3) DNS Spoofing All Domains brent timothy saner (Nov 19)