[dns-operations] An interesting attack against the SOA MNAME of some TLDs
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed Feb 8 16:10:20 UTC 2017
It appears some TLDs have a MNAME (primary server) field in the SOA
record which does not exist *and* is in a registrable SLD. A bad guy
can buy the SLD and then receive the traffic aimed to the MNAME.
This is mostly Dynamic Update traffic for Windows machines. If you
like big data, you will get a lot of information, specially from
Active Directory, sometimes personal (name of the PC = name of the
person).
This excellent article describes in detail the problem and its
exploitation for .gt:
https://thehackerblog.com/hacking-guatemalas-dns-spying-on-active-directory-users-by-exploiting-a-tld-misconfiguration/
More information about the dns-operations
mailing list