[dns-operations] Hijacking of Google Public DNS in Turkey documented

Colm MacCárthaigh colm at stdlib.net
Sun Mar 30 01:33:34 UTC 2014


Seems to be specific resolvers getting targeted with simple no-export
routes within the ISPs. Intercepting all :53 traffic would look pretty
different.


On Sat, Mar 29, 2014 at 6:28 PM, Dave Warren <davew at hireahit.com> wrote:

>  On 2014-03-29 18:20, Colm MacCárthaigh wrote:
>
>
> You're right, one of the many whoami records would work too, but I usually
> avoid those for two reasons;  1. users mostly don't know how to make DNS
> queries and often copy the wrong IP address back in their reports, and 2)
> the response is cacheable and so unreliable when your resolver has multiple
> IPs, or if you're testing several resolvers from behind a caching stub
> resolver. So I wrote the HTTP/Javscript interface with a cache buster to
> get rid of the problem.
>
>  HackerNews user  erhanerdogan<https://news.ycombinator.com/user?id=erhanerdogan> got
> back to me with a report: https://news.ycombinator.com/item?id=7494650
>
>  Which looks like Google/OpenDNS are being replaced, rather than MITM'd
> or proxied. But I'd still be interested in more data.
>
>
> Is it just Google/OpenDNS or all :53 traffic? Is recursive vs not a
> factor? Most interesting indeed.
>
> --
> Dave Warrenhttp://www.hireahit.com/http://ca.linkedin.com/in/davejwarren
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>



-- 
Colm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140329/140b8fd5/attachment.html>


More information about the dns-operations mailing list