root name server hijacked?
Kevin Darcy
kcd at daimlerchrysler.com
Thu Dec 5 19:38:24 UTC 2002
Dai Yuwen wrote:
> Hi, All
>
> Please see what happened when I query a domain name containing "freenet":
>
> $ dig @198.32.64.12 www.freenet.com
>
> ; <<>> DiG 9.2.1 <<>> @198.32.64.12 www.freenet.com
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42495
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.freenet.com. IN A
>
> ;; ANSWER SECTION:
> www.freenet.com. 300 IN A 64.33.88.161
>
> ;; Query time: 13 msec
> ;; SERVER: 198.32.64.12#53(198.32.64.12)
> ;; WHEN: Thu Dec 5 16:15:20 2002
> ;; MSG SIZE rcvd: 49
>
> NOTE the result is "64.33.88.161". Again:
> $ dig @198.32.64.12 www.freenetabceaaaa.com
>
> ; <<>> DiG 9.2.1 <<>> @198.32.64.12 www.freenetabceaaaa.com
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44741
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.freenetabceaaaa.com. IN A
>
> ;; ANSWER SECTION:
> www.freenetabceaaaa.com. 300 IN A 64.33.88.161
>
> ;; Query time: 12 msec
> ;; SERVER: 198.32.64.12#53(198.32.64.12)
> ;; WHEN: Thu Dec 5 16:16:50 2002
> ;; MSG SIZE rcvd: 57
>
> The query result will be 64.33.88.161 as long as the domain name contain
> "freenet" even though that domain name doesn't exist.
Looks like someone on your network has set up an evil transparent DNS proxy.
No *real* root nameserver gives those answers. www.freenet.com doesn't
resolve to that address either. Very suspicious.
- Kevin
More information about the bind-users
mailing list