[dns-operations] "remotely changing a home router's DNS server was theoretically possible" (C|Net)

Peter Dambier peter at peter-dambier.de
Tue Jan 22 20:22:23 UTC 2008

Hash: SHA512

I am troubled by this little typo:

Sorry I have to scramble or the mailer would tell my nasty things:

real domain "S:E:R:V:E:F:T:P:.:C:O:M"
typo domain "S:E:R:V:E:F:P:T:.:C:O:M"

remove the colons and make it lowercase.

; <<>> DiG 9.4.0 <<>> -t any echnaton.typo
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39153
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0

;echnaton.typo.         IN      ANY

echnaton.typo.  3600    IN      A
echnaton.typo.  3600    IN      A

typo.           172800  IN      NS      ns3.smartdamain.com.
typo.           172800  IN      NS      ns1.smartdamain.com.
typo.           172800  IN      NS      ns2.smartdamain.com.

;; Query time: 284 msec
;; WHEN: Tue Jan 22 20:59:21 2008
;; MSG SIZE  rcvd: 137

I have alarmed no-ip.com support before christmas.

The result: I have lost my account.
The pharmer is celebrating pentecost.

He is even running his own root now:

; <<>> DiG 9.4.0 <<>> -t any . @ns1.smartdamain.com.
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32334
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;.                              IN      ANY

.                       2560    IN      SOA     ns. hostmaster. 1201030527 16384 2048 1048576 2560
.                       259200  IN      NS      ns.

;; Query time: 134 msec
;; WHEN: Tue Jan 22 21:17:31 2008
;; MSG SIZE  rcvd: 77


Gadi Evron wrote:
| Paul Vixie wrote:
|> in <http://www.news.com/8301-10789_3-9855195-57.html> we see:
|> January 22, 2008 10:19 AM PST
|> Drive-by pharming attack hits home
|> Posted by Robert Vamosi
|> Whenever you type an address into an Internet browser, that address is
|> instantly resolved into the site's numerical Internet address by a DNS server
|> located somewhere in the world. On Tuesday, Symantec announced that online
|> criminals have started to remotely redirect your home network router's DNS
|> server so that whenever you type in a financial institution or other trusted
|> site, your browser will instead be redirected to a bogus or phishing Web
|> site.
|> The practice, called pharming, usually attacks the DNS servers directly, but
|> this latest attack brings it all home (if you are using broadband
|> connectivity). Fortunately, the routers and institutions affected by this
|> current attack are limited to one country, Mexico, but Symantec warns that
|> word of this real-world attack could bring similar attacks elsewhere.
| I am unsure of what specific attack (malware?) they are talking about
| which is MX specific, but SYMC is good with PR. I am however
| increasingly concerned with the ease of compromising broadband routers.
| On the DNS side, without compromising (which can result in more botnets
| or wiretap concerns) I am especially concerned due to many of these CPE
| devices being recursive DNS servers.
| While DNS hijacking remains a threat and it is clear a significant
| number of ns world-wide are lying to us, it is not my main concern when
| these devices are discussed.
| 	Gadi.
| _______________________________________________
| dns-operations mailing list
| dns-operations at lists.oarci.net
| http://lists.oarci.net/mailman/listinfo/dns-operations

- --
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the dns-operations mailing list