[dns-operations] AT&T DNS Cache Poisoning?
Frank Bulk
frnkblk at iname.com
Sat Oct 27 03:42:12 UTC 2012
As I pointed out on outages, it's not just AT&T's recursive DNS servers, its others as well.
This link queries 15 DNS servers and show at least three DNS servers that point to the "incorrect" A record of 208.91.197.132.
http://www.mob.net/~ted/tools/dns.php3?domain=www.ben.edu
And ben.edu's servers are supposed to pot to ns[12].bobbroadband.com, and there are some DNS servers out there, too, that have incorrect A records for those two NSes:
http://www.mob.net/~ted/tools/dns.php3?domain=ns1.bobbroadband.com
http://www.mob.net/~ted/tools/dns.php3?domain=ns2.bobbroadband.com
Frank
=============
Checking 15 U.S. NameServers...
Looking Up: www.ben.edu
Domain Server: google-public-dns-a.google.com
Time To Live: 42153
IP Address: 38.100.120.100
Domain Server: resolver.qwest.net
Time To Live: 933
IP Address: 38.100.120.100
Domain Server: vnsc-bak.sys.gtei.net
Time To Live: 84227
IP Address: 38.100.120.100
Domain Server: ns-1.iastate.edu
Time To Live: 83993
IP Address: 38.100.120.100
Domain Server: dns1.mci.com
Time To Live: 300
IP Address: 208.91.197.132
Domain Server: ns1.us.prserv.net
Time To Live: 300
IP Address: 208.91.197.132
Domain Server: ns2.mindspring.com
Time To Live: 86400
IP Address: 38.100.120.100
Domain Server: dns1.rcsntx.sbcglobal.net
Time To Live: 86400
IP Address: 38.100.120.100
Domain Server: aslan.adns.net
Time To Live: 83993
IP Address: 38.100.120.100
Domain Server: resolver1.opendns.com
Time To Live: 83994
IP Address: 38.100.120.100
Domain Server: ns2.bbspot.com
Time To Live: 300
IP Address: 208.91.197.132
Domain Server: ns1.super-dns.com
Time To Live: 83993
IP Address: 38.100.120.100
Domain Server: ns1.sprintlink.net
Time To Live: 83994
IP Address: 38.100.120.100
Domain Server: cache01.ns.uu.net
Time To Live: 86400
IP Address: 38.100.120.100
Domain Server: cachens1.mcleodusa.net
Time To Live: 84229
IP Address: 38.100.120.100
==============
-----Original Message-----
From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations-bounces at lists.dns-oarc.net] On Behalf Of Tim Huffman
Sent: Friday, October 26, 2012 10:37 PM
To: dns-operations at lists.dns-oarc.net
Subject: [dns-operations] AT&T DNS Cache Poisoning?
We are the primary DNS servers for the ben.edu domain. We seem to be having an issue with an AT&T server that is responding with incorrect A records for www.ben.eduand ben.edu.
What it SHOULD be the response:
nslookup www.ben.edu
Server: 63.250.224.66
Address: 63.250.224.66#53
www.ben.edu canonical name = ben.edu.
Name: ben.edu
Address: 38.100.120.100
What 12.127.17.83 is responding with:
> www.ben.edu
Server: tbru.br.rs.els-gms.att.net
Address: 12.127.17.83
Non-authoritative answer:
Name: www.ben.edu
Address: 208.91.197.132
This appears to be affecting only iPhones and iPads on the AT&T network. Is anybody else having problems with this? Are there any AT&T people on this list that can help?
------------------------------------------------------
Below is some more info from the very helpful David Conrad, and more of the email trail on the Outages.org mailing list:
From: David Conrad [mailto:drc at virtualized.org]
Sent: Friday, October 26, 2012 9:53 PM
To: Tim Huffman
Cc: outages at outages.org
Subject: Re: [outages] AT&T DNS problems?
Hi,
So I tried in 3 different places:
Comcast residential service near San Jose, CA: 38.100.120.100
Multi-homed colo facility near Dallas, TX: 38.100.120.100
Multi-homed colo facility near London, UK: 208.91.197.32
Doing a bit of digging on the latter:
% dig +short @12.127.17.83 www.ben.edu ns
ns1432.ztomy.com.
ns2432.ztomy.com.
% whois -h whois.crsnic.net ztomy.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: ZTOMY.COM
Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.PublicDomainRegistry.com
Name Server: USC4.AKAM.NET
Name Server: USC5.AKAM.NET
Status: ok
Updated Date: 23-apr-2012
Creation Date: 22-nov-2007
Expiration Date: 22-nov-2014
[...]
% whois -h whois.publicdomainregistry.com ztomy.com
Domain Name: ZTOMY.COM
Registrant:
PrivacyProtect.org
Domain Admin (contact at privacyprotect.org)
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null,QLD 4218
AU
Tel. +45.36946676
Creation Date: 22-Nov-2007
Expiration Date: 22-Nov-2014
[...]
Doing a google search on ztomy.com suggests that they provide malware/spyware/etc.
Looking at the address being returned (208.91.197.132):
% whois -h whois.arin.net 208.91.197.132
[...]
NetRange: 208.91.196.0 - 208.91.199.255
CIDR: 208.91.196.0/22
OriginAS: AS40034
NetName: CONFLUENCE-NETWORK-INC
NetHandle: NET-208-91-196-0-1
Parent: NET-208-0-0-0-0
NetType: Direct Allocation
RegDate: 2011-04-15
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-208-91-196-0-1
OrgName: Confluence Networks Inc
OrgId: CN
Address: 3rd Floor, Omar Hodge Building, Wickhams
Address: Cay I, P.O. Box 362
City: Road Town
StateProv: Tortola
PostalCode: VG1110
Country: VG
RegDate: 2011-04-07
Updated: 2011-07-05
Ref: http://whois.arin.net/rest/org/CN
[...]
Doing a google search on confluence networks suggests that they host a lot of bad stuff (e.g., 'high yield investment programs' which appear to be yet another form of Ponzi scheme). I did see some suggestions of ztomy.com engaging in DNS cache poisoning, but no proof.
Given the inconsistent answers from the AT&T name server, one possibility is that AT&T's resolvers are under a Kaminsky-style DNS cache poisoning attack. You might want to drop a note to the DNS-OARC (https://www.dns-oarc.net) dns-operations list -- I think there are probably some folks there from AT&T.
Regards,
-drc
On Oct 26, 2012, at 6:26 PM, Tim Huffman <tim at bobbroadband.com> wrote:
Yeah, it appears to be some kind of placeholder site, like what Network Solutions uses.
What’s strange is that the AT&T server appears to be handing out alternating responses:
# dig @12.127.17.83 www.ben.edu
; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35102
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.ben.edu. IN A
;; ANSWER SECTION:
www.ben.edu. 148 IN A 208.91.197.132
;; Query time: 2 msec
;; SERVER: 12.127.17.83#53(12.127.17.83)
;; WHEN: Fri Oct 26 20:22:18 2012
;; MSG SIZE rcvd: 45
[root at venus ~]# dig @12.127.17.83 www.ben.edu
; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38198
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.ben.edu. IN A
;; ANSWER SECTION:
www.ben.edu. 3427 IN CNAME ben.edu.
ben.edu. 3427 IN A 38.100.120.100
;; Query time: 2 msec
;; SERVER: 12.127.17.83#53(12.127.17.83)
;; WHEN: Fri Oct 26 20:22:23 2012
;; MSG SIZE rcvd: 59
[root at venus ~]# dig @12.127.17.83 www.ben.edu
; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21252
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.ben.edu. IN A
;; ANSWER SECTION:
www.ben.edu. 142 IN A 208.91.197.132
;; Query time: 1 msec
;; SERVER: 12.127.17.83#53(12.127.17.83)
;; WHEN: Fri Oct 26 20:22:24 2012
;; MSG SIZE rcvd: 45
[root at venus ~]# dig @12.127.17.83 www.ben.edu
; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59907
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.ben.edu. IN A
;; ANSWER SECTION:
www.ben.edu. 3425 IN CNAME ben.edu.
ben.edu. 3425 IN A 38.100.120.100
;; Query time: 2 msec
;; SERVER: 12.127.17.83#53(12.127.17.83)
;; WHEN: Fri Oct 26 20:22:25 2012
;; MSG SIZE rcvd: 59
Tim Huffman
Director of Engineering
Business Only Broadband
777 Oakmont Lane, Suite 2000, Westmont, IL 60559
Direct: 630.590.6012 | Main: 630.590.6000 | Fax: 630.986.2496
thuffman at bobbroadband.com | http://www.bobbroadband.com/
Cell: 630.340.1925 | Toll-Free Customer Support: 877.262.4553
<image001.png> Follow Us on LinkedIn | <image002.gif> Follow Us on Twitter
please consider the environment prior to printing
From: outages-bounces at outages.org [mailto:outages-bounces at outages.org] On Behalf Of Mike Phipps
Sent: Friday, October 26, 2012 8:17 PM
To: outages at outages.org
Subject: Re: [outages] AT&T DNS problems?
208.91.197.132 doesn’t have a PTR record associated with it, but a Whois query shows that it’s owned by Confluence Networks. However, check out what happens when you go to that IP address:
$ nc -v 208.91.197.132 80
Connection to 208.91.197.132 80 port [tcp/http] succeeded!
GET / HTTP/1.1
Host: ben.edu
HTTP/1.1 200 OK
Date: Sat, 27 Oct 2012 01:14:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.16
Vary: Accept-Encoding,User-Agent
Content-Length: 712
Content-Type: text/html; charset=UTF-8
<frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
<frame src="http://ben.edu/?fp=Jg2bOCRGpmyIHeO3rTIpYJil8%2FmPB1JibWwClQntyhm4NkwKKuCk1tgtON7LOnmXFywl8MRjELrKlXFXgOfhOw%3D%3D&prvtof=lJY3O5r6C%2F4Iypq21CJp7a1LuqqIdOWvKdwx5Xsl1x8%3D&poru=S87wfqjj4W%2B%2Fm8dSEqpuWZr20KvK367%2BCoGC%2FHW2e9kL6N%2Fl3h3wnDx5AfKbrhlZ&">
</frameset>
<noframes>
<body bgcolor="#ffffff" text="#000000">
<a href="http://ben.edu/?fp=Jg2bOCRGpmyIHeO3rTIpYJil8%2FmPB1JibWwClQntyhm4NkwKKuCk1tgtON7LOnmXFywl8MRjELrKlXFXgOfhOw%3D%3D&prvtof=HFakvtiyy0kNqKrmL%2FCjJLePEMwdGWTZLZa5%2BZpNnP4%3D&poru=9vrhUGVKGCquHB6uFFMUXFNxz1c%2FgIaDOeCSvkLz5HCrH2FI%2Fixpxvr8LwjYT7uO&">Click here to proceed</a>.
</body>
</noframes>
I didn’t look beyond that, but it already looks fishy. Note that I used ben.edu in the hostname on that manual GET request. When I tried it with just the IP address, it said to go to searchremagnified.com.
Mike Phipps
Media Genesis, Inc.
We are the primary DNS servers for the ben.edu domain. We seem to be having an issue with an AT&T server that is responding with incorrect A records for www.ben.eduand ben.edu.
What it SHOULD be the response:
nslookup www.ben.edu
Server: 63.250.224.66
Address: 63.250.224.66#53
www.ben.edu canonical name = ben.edu.
Name: ben.edu
Address: 38.100.120.100
What 12.127.17.83 is responding with:
> www.ben.edu
Server: tbru.br.rs.els-gms.att.net
Address: 12.127.17.83
Non-authoritative answer:
Name: www.ben.edu
Address: 208.91.197.132
This appears to be affecting only iPhones and iPads on the AT&T network. Is anybody else having problems with this? Are there any AT&T people on this list that can help?
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
More information about the dns-operations
mailing list