[dns-operations] AT&T DNS Cache Poisoning?

Phil Pennock dnsop+phil at spodhuis.org
Sat Oct 27 04:14:01 UTC 2012

On 2012-10-27 at 03:36 +0000, Tim Huffman wrote:
> We are the primary DNS servers for the ben.edu domain. We seem to be
> having an issue with an AT&T server that is responding with incorrect
> A records for www.ben.edu and ben.edu.

Definitely looks like a cache-poisoning attack.

Further, compare and contrast:
  curl -vH "Host: www.ben.edu"

  ua="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)"
  curl -vH "Host: www.ben.edu" -H "User-Agent: $ua"

There's some JavaScript fetching images via fwdservice.com ... looks
like it might be Google click-fraud?


More information about the dns-operations mailing list