[dns-operations] An interesting attack against the SOA MNAME of some TLDs

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Feb 8 16:10:20 UTC 2017

It appears some TLDs have a MNAME (primary server) field in the SOA
record which does not exist *and* is in a registrable SLD. A bad guy
can buy the SLD and then receive the traffic aimed to the MNAME.

This is mostly Dynamic Update traffic for Windows machines. If you
like big data, you will get a lot of information, specially from
Active Directory, sometimes personal (name of the PC = name of the

This excellent article describes in detail the problem and its
exploitation for .gt:


More information about the dns-operations mailing list