[dns-operations] Etisalat DNS hack

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Dec 19 11:32:59 UTC 2014

On Thu, Dec 18, 2014 at 12:04:45PM -0500,
 David C Lawrence <tale at akamai.com> wrote 
 a message of 11 lines which said:

> http://gulfnews.com/business/technology/domain-name-structure-of-etisalat-poisoned-1.1428889
> This news report claims it was a cache poisoning, but it also reads
> like it could have been hacked authoritative data.

Indeed, this report is ridiculous and the claims of "Nicolai Solling,
director of technology services" clearly self-contradictory.

> Does anyone have more information?

>From the information at DNSDB, it seems that the NS records were not
changed but the A was. The change was short-lived and seen only by a
few sensors so we cannot be sure if it was a DNS poisoning or an
illegal access to the DNS hoster (I say DNS hoster because the NS have
not been changed, as they would have been during an attack at the
registry or registrar) Web interface.

For the NS, the only change was the withdrawal of ans1.kanartel.sd and
ans2.kanartel.sd from the set (they were in the zone but never at the
parent) around 2014-12-18 04:30:00, after the attack.

For the A:

bailiwick	etisalat.ae.
count	2
first seen	2014-12-18 02:34:16 -0000
last seen	2014-12-18 02:34:16 -0000
etisalat.ae.	A

Yes, this IP address is in China.

CIRCL.lu and PassiveDNS.cn did not see the change in the A record
(which is consistent with a short-lived change, or with a DNS
poisoning not reaching their sensors). No service saw a change for

More information about the dns-operations mailing list