Fidelity Domain Hijack?
Brad Knowles
brad.knowles at skynet.be
Tue Jun 26 23:05:36 UTC 2001
At 1:40 PM -0700 6/26/01, Carl Hirsch wrote:
> Apologies if this is the wrong forum, but I'm in the process of doing
> a post-mortem on a network hiccup we experienced this afternoon.
>
> Today our DNS servers started resolving "www.401k.com" as
> "www.xxlteen.com".
Here's what the latest version of "doc" thinks of this domain:
% doc -d 401k.com
Doc-2.2.2: doc -d 401k.com
Doc-2.2.2: Starting test of 401k.com. parent is com.
Doc-2.2.2: Test date - Tue Jun 26 18:56:46 EDT 2001
DEBUG: digging @a.gtld-servers.net. for soa of com.
soa @a.gtld-servers.net. for com. has serial: 2001062600
DEBUG: digging @b.gtld-servers.net. for soa of com.
soa @b.gtld-servers.net. for com. has serial: 2001062600
DEBUG: digging @c.gtld-servers.net. for soa of com.
soa @c.gtld-servers.net. for com. has serial: 2001062600
DEBUG: digging @d.gtld-servers.net. for soa of com.
soa @d.gtld-servers.net. for com. has serial: 2001062600
DEBUG: digging @e.gtld-servers.net. for soa of com.
soa @e.gtld-servers.net. for com. has serial: 2001062600
DEBUG: digging @f.gtld-servers.net. for soa of com.
soa @f.gtld-servers.net. for com. has serial: 2001062600
DEBUG: digging @g.gtld-servers.net. for soa of com.
soa @g.gtld-servers.net. for com. has serial: 2001062600
DEBUG: digging @h.gtld-servers.net. for soa of com.
soa @h.gtld-servers.net. for com. has serial: 2001062600
DEBUG: digging @i.gtld-servers.net. for soa of com.
soa @i.gtld-servers.net. for com. has serial: 2001062600
DEBUG: digging @j.gtld-servers.net. for soa of com.
soa @j.gtld-servers.net. for com. has serial: 2001062600
DEBUG: digging @k.gtld-servers.net. for soa of com.
soa @k.gtld-servers.net. for com. has serial: 2001062600
DEBUG: digging @l.gtld-servers.net. for soa of com.
soa @l.gtld-servers.net. for com. has serial: 2001062600
DEBUG: digging @m.gtld-servers.net. for soa of com.
soa @m.gtld-servers.net. for com. has serial: 2001062600
SOA serial #'s agree for com. domain
Found 3 NS and 3 glue records for 401k.com. @a.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for 401k.com. @b.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for 401k.com. @c.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for 401k.com. @d.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for 401k.com. @e.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for 401k.com. @f.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for 401k.com. @g.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for 401k.com. @h.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for 401k.com. @i.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for 401k.com. @j.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for 401k.com. @k.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for 401k.com. @l.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for 401k.com. @m.gtld-servers.net. (non-AUTH)
DNServers for com.
=== 0 were also authoritatve for 401k.com.
=== 13 were non-authoritative for 401k.com.
Servers for com. (not also authoritative for 401k.com.)
=== agree on NS records for 401k.com.
DEBUG: domserv = dnsauth1.sys.gtei.net. dnsauth2.sys.gtei.net.
dnsauth3.sys.gtei.net.
NS list summary for 401k.com. from parent (com.) servers
== dnsauth1.sys.gtei.net. dnsauth2.sys.gtei.net. dnsauth3.sys.gtei.net.
digging @dnsauth1.sys.gtei.net. for soa of 401k.com.
soa @dnsauth1.sys.gtei.net. for 401k.com. serial: 2001042298
digging @dnsauth2.sys.gtei.net. for soa of 401k.com.
soa @dnsauth2.sys.gtei.net. for 401k.com. serial: 2001042298
digging @dnsauth3.sys.gtei.net. for soa of 401k.com.
soa @dnsauth3.sys.gtei.net. for 401k.com. serial: 2001042298
SOA serial #'s agree for 401k.com.
Authoritative domain (401k.com.) servers agree on NS for 401k.com.
ERROR: NS list from 401k.com. authoritative servers does not
=== match NS list from parent (com.) servers
NS list summary for 401k.com. from authoritative servers
== nic.near.net. vienna1-dns-auth1.bbnplanet.com.
ERROR: dnsauth1.sys.gtei.net. claims to be authoritative, but does
not appear in
NS list from authoritative servers
ERROR: dnsauth2.sys.gtei.net. claims to be authoritative, but does
not appear in
NS list from authoritative servers
ERROR: dnsauth3.sys.gtei.net. claims to be authoritative, but does
not appear in
NS list from authoritative servers
Checking 0 potential addresses for hosts at 401k.com.
==
Summary:
ERRORS found for 401k.com. (count: 4)
Done testing 401k.com. Tue Jun 26 18:56:52 EDT 2001
And here's what dnswalk thinks:
% dnswalk -alF 401k.com.
Checking 401k.com.
Getting zone transfer of 401k.com. from nic.near.net...done.
SOA=nic.near.net contact=dns-admin.bbnplanet.com
BAD: psw.401k.com NS dd1-ma.cam-colo.bbnplanet.net: CNAME (to
e0.dd1-ma.cam-colo.bbnplanet.net)
BAD: ms.401k.com NS dd1-ma.cam-colo.bbnplanet.net: CNAME (to
e0.dd1-ma.cam-colo.bbnplanet.net)
BAD: nb.401k.com NS dd1-ma.cam-colo.bbnplanet.net: CNAME (to
e0.dd1-ma.cam-colo.bbnplanet.net)
BAD: netbenifits.401k.com NS dd1-ma.cam-colo.bbnplanet.net: CNAME (to
e0.dd1-ma.cam-colo.bbnplanet.net)
BAD: www.401k.com NS dd1-ma.cam-colo.bbnplanet.net: CNAME (to
e0.dd1-ma.cam-colo.bbnplanet.net)
BAD: netbenefits.401k.com NS dd1-ma.cam-colo.bbnplanet.net: CNAME (to
e0.dd1-ma.cam-colo.bbnplanet.net)
BAD: ftp.401k.com NS dd1-ma.cam-colo.bbnplanet.net: CNAME (to
e0.dd1-ma.cam-colo.bbnplanet.net)
BAD: ftp.401k.com NS dd1-ca.su-colo.bbnplanet.com: lame NS delegation
0 failures, 0 warnings, 8 errors.
Finally, here's waht "DNS Expert" from Men & Mice has to say:
DNS Expert
Detailed Report for 401k.com.
6/27/01, 12:59 AM, using the analysis setting "Minimal"
======================================================================
Information
----------------------------------------------------------------------
Serial number: 2001042298
Primary name server: nic.near.net.
Primary mail server: N/A
Number of records: 21 (16 NS, 0 MX, 5 A, 0 CNAME, 0 PTR, 0
Other)
Errors
----------------------------------------------------------------------
o The name server "dnsauth1.sys.gtei.net." is only listed in
delegation data
The server "dnsauth1.sys.gtei.net." is listed as being
authoritative for the zone according to the delegation data, but
there is no NS record for that server in the zone data.
Delegation data and zone data should always match.
o The name server "dnsauth2.sys.gtei.net." is only listed in
delegation data
The server "dnsauth2.sys.gtei.net." is listed as being
authoritative for the zone according to the delegation data, but
there is no NS record for that server in the zone data.
Delegation data and zone data should always match.
o The name server "dnsauth3.sys.gtei.net." is only listed in
delegation data
The server "dnsauth3.sys.gtei.net." is listed as being
authoritative for the zone according to the delegation data, but
there is no NS record for that server in the zone data.
Delegation data and zone data should always match.
o There are no MX records for the zone
The zone contains no MX records for the zone itself. This will
cause delivery problems for mail sent to any account of the form
user at zone. Every zone for which mail delivery is desired should
contain at least one MX record.
Warnings
----------------------------------------------------------------------
o The zone contains more than one authoritative name server with the
same IP address
The name servers "nic.near.net." and "dnsauth1.sys.gtei.net.",
which are authoritative for "401k.com.", have the same IP address
(4.2.49.2).
o The zone contains more than one authoritative name server with the
same IP address
The name servers "nic.near.net." and
"vienna1-dns-auth1.bbnplanet.com.", which are authoritative for
"401k.com.", have the same IP address (4.2.49.2).
o The zone contains more than one authoritative name server with the
same IP address
The name servers "vienna1-dns-auth1.bbnplanet.com." and
"dnsauth1.sys.gtei.net.", which are authoritative for
"401k.com.", have the same IP address (4.2.49.2).
o All name servers for the zone are on the same subnet.
All name servers for the zone are on the same subnet (4.2.49.*).
If the connection to the network breaks, your domain will become
inaccessible.
----------------------------------------------------------------------
end of report
> We've got no evidence that any of our boxes were compromised, so I'm
> wondering what happened. Could a DNS serve closer to the root than us
> have been compromised and propogated bad information? A brief search
> of various security sites turned up no mention of Fidelity's Primary
> DNS getting cracked.
It's hard to say. Obviously, this domain is very seriously
screwed up. The three nameservers that are officially delegated to
are all lame, and DNS Expert points out a number of other problems
(machines with many different names all having the same IP address,
among others)
> This situation strikes me as an excellent opportunity to learn more
> DNS-fu.
Whomever the owner of this domain is, they need to get it fixed,
and quickly. I've carbon-copied the e-mail addresses listed in the
WHOIS database for this domain, as well as the e-mail address claimed
in the SOA record for this domain, and the e-mail address associated
with the network in question. Hopefully, one or more of them will
see the severity of the problem and work to try to get it corrected
as soon as possible.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list