[dns-operations] DNS hijack?
Feng He
fenghe at nsbeta.info
Tue Nov 20 10:25:48 UTC 2012
Hello,
Given this query, the local DNS response with three sections ANSWER,
AUTHORITY, ADDITIONAL.
> ;; ANSWER SECTION:
> geocast.net. 735 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
> geocast.net. 735 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
> geocast.net. 735 IN MX 5 ASPMX.L.GOOGLE.COM.
> geocast.net. 735 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
>
> ;; AUTHORITY SECTION:
> geocast.net. 3435 IN NS ns2.cloudwebdns.COM.
> geocast.net. 3435 IN NS ns3.cloudwebdns.COM.
> geocast.net. 3435 IN NS ns1.cloudwebdns.COM.
> geocast.net. 3435 IN NS ns4.cloudwebdns.COM.
>
> ;; ADDITIONAL SECTION:
> ns1.cloudwebdns.COM. 2626 IN A 114.112.51.224
> ns2.cloudwebdns.COM. 2626 IN A 173.254.229.119
> ns3.cloudwebdns.COM. 2626 IN A 174.140.166.81
> ns4.cloudwebdns.COM. 2626 IN A 209.141.54.207
If somebody insert the domain "google.com" and "googlemail.com" into
cloudwebdns.com 's zone files and setup the corresponding records. Thus
ns*.cloudwebdns.com will response the query above with the fake
addresses, like:
> ;; ANSWER SECTION:
> geocast.net. 735 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
> geocast.net. 735 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
> geocast.net. 735 IN MX 5 ASPMX.L.GOOGLE.COM.
> geocast.net. 735 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
>
> ;; AUTHORITY SECTION:
> geocast.net. 3435 IN NS ns2.cloudwebdns.COM.
> geocast.net. 3435 IN NS ns3.cloudwebdns.COM.
> geocast.net. 3435 IN NS ns1.cloudwebdns.COM.
> geocast.net. 3435 IN NS ns4.cloudwebdns.COM.
>
> ;; ADDITIONAL SECTION:
> ASPMX.L.GOOGLE.COM. 2626 IN A 1.2.3.4
> ALT1.ASPMX.L.GOOGLE.COM. 2626 IN A 5.6.7.8
> ALT2.ASPMX.L.GOOGLE.COM. 2626 IN A 1.2.3.4
> ASPMX2.GOOGLEMAIL.COM. 2626 IN A 5.6.7.8
As shown above google's addresses can be faked.
How will a local DNS server prevent this hijack DNS records?
Thanks.
More information about the dns-operations
mailing list