Bugtraq mailing list archives
Re: International DNS compromise?
From: <bill () dit-inc us>
Date: 6 Aug 2004 20:05:09 -0000
In-Reply-To: <20040805192243.7826e6b9.john () pond-weed com> This is from China's "Great Firewall" sniffering their 54Gbps International traffic. I presented some detailes at the HOPE conference in NYC last month. I posted the presentaion here: http://www.dit-inc.us/report/hope2004/cover.htm (click on the image to get in) Regarding this DNS hijacking thing, it is worth mentioning that root DNS server in China may hijack query from neighbouring countries as well. The black list for DNS hijacking is very small. TCP session hijacking list is longer, IP blocking blacklist is the longest. Bill
Received: (qmail 28891 invoked from network); 5 Aug 2004 18:45:36 -0000 Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27) by mail.securityfocus.com with SMTP; 5 Aug 2004 18:45:36 -0000 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing3.securityfocus.com (Postfix) with QMQP id 03627236F36; Thu, 5 Aug 2004 12:47:21 -0600 (MDT) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 28021 invoked from network); 5 Aug 2004 12:14:21 -0000 Date: Thu, 5 Aug 2004 19:22:43 +0100 From: john <john () pond-weed com> To: bugtraq () securityfocus com Subject: Re: International DNS compromise? Message-Id: <20040805192243.7826e6b9.john () pond-weed com> In-Reply-To: <20040805051101.18767.qmail () web13702 mail yahoo com> References: <Pine.LNX.4.58.0407232020010.3889 () pluto physik uni-wuerzburg de> <20040805051101.18767.qmail () web13702 mail yahoo com> X-Mailer: Sylpheed version 0.8.11claws (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 4 Aug 2004 22:11:01 -0700 (PDT) Zhen Shi <zhenshi99 () yahoo com> wrote:Dear all, Recently I noticed something fishy in the DNS system between US and China. First, any IPs, dead or live, in China will respond to your DNS query for some domains. For example (screen shot with some clean-up and comments): C:\>nslookupserver 210.77.0.0 <=== pick a random IP inChina Default Server: [210.77.0.0] Address: 210.77.0.0www.rfa.orgServer: [210.77.0.0] Address: 210.77.0.0 Non-authoritative answer: Name: www.rfa.org Address: 203.105.1.21 <=== you got response!!!! Second, every time the response is different:www.rfa.orgServer: [210.77.0.0] Address: 210.77.0.0 Non-authoritative answer: Name: www.rfa.org Address: 64.66.163.251<snip>It looks like it all works OK with most domain names. But rfa.org is the sort of site the Chinese would want to censor. Evidently this is part of their strategy for doing that. This has the side-effect that you could discover the list of sites being censored by systematically comparing DNS replies from a server in China with those from an uncompromised server. John
Current thread:
- International DNS compromise? Zhen Shi (Aug 05)
- Re: International DNS compromise? john (Aug 05)
- Re: International DNS compromise? John Kinsella (Aug 05)
- <Possible follow-ups>
- Re: International DNS compromise? Troy (Aug 05)
- Re: International DNS compromise? Rio Martin. (Aug 06)
- Re: International DNS compromise? Danny (Aug 06)
- Re: International DNS compromise? John F. Waymouth (Aug 06)
- RE: International DNS compromise? travis . alexander (Aug 05)
- RE: International DNS compromise? Troy Monaghen (Aug 06)
- Re: International DNS compromise? bill (Aug 06)
- RE: International DNS compromise? Mike Clark (Aug 06)
- RE: International DNS compromise? Johan Nilsson (Aug 06)
- Re: International DNS compromise? Troy (Aug 06)