idea about forging dns data
Tim Peiffer
peiffer at umn.edu
Wed Aug 31 14:58:05 UTC 2005
Without discussing the morality issues, the need to locally kill or
poison a DNS entry is real. We periodically create a local entry for a
single machine or sometimes a domain for which an IRC botnet controller
is using the nefarious domain to indicate a machine to DDOS. We handle
this as if we are authoritative for any one asking us. If you do not
serve anything outside of your network, i.e, no public DNS service, this
works well. Currently the poison, wildcards everything in the domain to
127.0.0.1. The reach of the poison extends to the boundary of our
company and no further.
Case in point:
Look at your DNS query transactions for wallloan.com, legi0n.net,
turkcoders.net, and is-a-fag.net.
The machines making requests about the above domains are infected with
various worm and botnet
controllers.
We plan on changing the wildcards to loopback to IP addresses in our
local domain into IP addresses that represent URLS indicating 'You are
seeing this web page because you have been hacked', 'You are seeing this
page because you have XXX worm.', 'Please see OIT Security - ', so that
we can inform the customers
that they either have something seriously wrong with their machines. If
you were of a mind to legislate morality or policy, you could do that in
this manner as well.
Tim Peiffer
University of Minnesota
Networking and Telecommunications Services
More information about the bind-users
mailing list