[dns-operations] AT&T DNS Cache Poisoning?

Robert Edmonds edmonds at isc.org
Sat Oct 27 20:37:40 UTC 2012 

David Conrad wrote:
> Yep, assuming it is cache poisoning. I'm trying to think of
> alternative explanations, but given reports (e.g., from Frank) that
> the issue is affecting other resolvers, it's hard to see other
> answers. A bit odd, given ben.edu isn't very high up on the Alexa (et
> al) list...

i don't think it's cache poisoning.  note that there are two out-of-zone
nameservers for ben.edu:

    Domain Name: BEN.EDU
    [...]
    Name Servers: 
       NS1.BOBBROADBAND.COM      
       NS2.BOBBROADBAND.COM      

and that bobbroadband.com was updated recently, in the past two days:

    Domain Name: BOBBROADBAND.COM
    Registrar: NETWORK SOLUTIONS, LLC.
    Whois Server: whois.networksolutions.com
    Referral URL: http://www.networksolutions.com/en_US/
    Name Server: NS1.BOBBROADBAND.COM
    Name Server: NS2.BOBBROADBAND.COM
    Status: clientTransferProhibited
    Updated Date: 25-oct-2012
    Creation Date: 22-oct-2005
    Expiration Date: 22-oct-2017

here's what was seen in DNSDB on the same day that bobbroadband.com was
updated in whois:

    ;;  bailiwick: com.
    ;;      count: 114
    ;; first seen: 2012-10-25 11:53:51 -0000
    ;;  last seen: 2012-10-25 12:58:03 -0000
    bobbroadband.com. IN NS ns1.pendingrenewaldeletion.com.
    bobbroadband.com. IN NS ns2.pendingrenewaldeletion.com.

    ;;  bailiwick: bobbroadband.com.
    ;;      count: 2
    ;; first seen: 2012-10-25 15:08:04 -0000
    ;;  last seen: 2012-10-25 15:49:29 -0000
    bobbroadband.com. IN NS ns1432.ztomy.com.
    bobbroadband.com. IN NS ns2432.ztomy.com.

taking over the nameservers for bobbroadband.com would thus allow taking
over ben.edu:

    ;;  bailiwick: ben.edu.
    ;;      count: 2
    ;; first seen: 2012-10-25 15:09:49 -0000
    ;;  last seen: 2012-10-25 15:58:11 -0000
    ben.edu. IN NS ns1432.ztomy.com.
    ben.edu. IN NS ns2432.ztomy.com.

i see the exact same pattern with cooperhealth.edu, and its nameservers,
back in april:

    Domain Name: COOPERHEALTH.EDU
    [...]
    Name Servers: 
       DNS01.CAVTEL.NET      
       DNS02.CAVTEL.NET      

    Domain Name: CAVTEL.NET
    Registrar: NETWORK SOLUTIONS, LLC.
    Whois Server: whois.networksolutions.com
    Referral URL: http://www.networksolutions.com/en_US/
    Name Server: DNS01.CAVTEL.NET
    Name Server: DNS02.CAVTEL.NET
    Status: clientTransferProhibited
    Updated Date: 10-apr-2012
    Creation Date: 08-apr-1999
    Expiration Date: 08-apr-2013

    ;;  bailiwick: net.
    ;;      count: 168
    ;; first seen: 2012-04-10 08:30:35 -0000
    ;;  last seen: 2012-04-10 12:34:40 -0000
    cavtel.net. IN NS ns1.pendingrenewaldeletion.com.
    cavtel.net. IN NS ns2.pendingrenewaldeletion.com.

    ;;  bailiwick: cavtel.net.
    ;;      count: 6
    ;; first seen: 2012-04-10 14:23:47 -0000
    ;;  last seen: 2012-04-12 08:16:30 -0000
    cavtel.net. IN NS ns1432.ztomy.com.
    cavtel.net. IN NS ns2432.ztomy.com.

    ;;  bailiwick: cooperhealth.edu.
    ;;      count: 2
    ;; first seen: 2012-04-11 06:52:37 -0000
    ;;  last seen: 2012-04-11 20:07:14 -0000
    cooperhealth.edu. IN NS ns1432.ztomy.com.
    cooperhealth.edu. IN NS ns2432.ztomy.com.

-- 
Robert Edmonds
edmonds at isc.org

More information about the dns-operations mailing list