[dns-operations] eNom / InterNAP apparent DNS poisoning

Patrick W. Gilmore patrick at ianai.net
Mon Dec 4 20:30:18 UTC 2006


We would like some help from eNom, who appears to be doing some  
evilness to the DNS.

-- 
TTFN,
patrick


[Rest is from John Payne.]

They seem to have a * wildcard on their _authorative_ nameservers.
This means that any zone hosted on eNom (dns[1-5].name-services.com)  
that has
a CNAME will be given back an authoritive-flag-set answer of  
64.74.223.198 for
the end RR.

Most nameservers will ignore it, ones vunerable to cache poisoning  
will cache it.

Ironically the person who blogged (plentyoffish.com) about this,  
isn't being poisoned
any more:

PoohBook2:~ jpayne$ dig  pics.plentyoffish.com @63.251.92.193
pics.plentyoffish.com.  3600    IN      CNAME    
pics.plentyoffish.com.edgesuite.net.

So it's not like they can claim ignorance if they're willing to put  
in exceptions

Other "interesting" results poking at this authorative nameserver:

www.yahoo.com.          1800    IN      A       64.74.223.2       
(POISONED - low TTL)
;www.google.com.                        IN       
A                               (NXDOMAIN)
;www.microsoft.com.             IN       
A                                       (NXDOMAIN)
www.fbi.gov.            2419200 IN      A       64.74.223.198     
(POISONED)
www.dhs.gov.            2419200 IN      A       64.74.223.198    
(POISONED)


Is there anyone here able to put pressure on them?




More information about the dns-operations mailing list