BigRed.com - cache poisoning for com/net/org domains

• Previous message (by thread): Cisco's connected->bgp redistribution
• Next message (by thread): When will 128M not be enough?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There was a weird problem posted to this list by Tim Langdell on May 24,
2001
(see http://www.mcabee.org/lists/nanog/msg01330.html).  I am experiencing
the
same problem, though I am certain it is not due to any registry
hacks/trojans/virii on the Windows clients, as Tim's message thread
suggested.

The problem is that my Win2K DNS server is resolving non-existent domains
under com, net or org, to the bigred.com website at 64.177.155.101, instead
of giving NXDOMAIN as it should.  Let me show you what I have found in my
poisoned cache.  I did all these queries from a Unix host that resolves
through a different nameserver that has not been poisoned.  My Win2K DNS
server, which services Windows clients on our LAN, is the one I am querying
at 172.25.1.104.

Check it out:

; <<>> DiG 8.1 <<>> @a.gtld-servers.net nosuchdomainexists.com. any
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;	nosuchdomainexists.com, type = ANY, class = IN
;; AUTHORITY SECTION:
com.			1D IN SOA	A.GTLD-SERVERS.NET. hostmaster.nsiregistry.NET. (
					2001071201	; serial
					30M		; refresh
					15M		; retry
					1W		; expiry
					1D )		; minimum
;; Total query time: 96 msec
;; FROM: upolu to SERVER: a.gtld-servers.net  192.5.6.30
;; WHEN: Fri Jul 13 11:58:03 2001
;; MSG SIZE  sent: 40  rcvd: 117

OK, so such domain exists in the gTLD servers.  So far so good.  But my
Win2K
DNS says otherwise:

; <<>> DiG 8.1 <<>> @172.25.1.104 nosuchdomainexists.com. ns
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUERY SECTION:
;;	nosuchdomainexists.com, type = NS, class = IN
;; ANSWER SECTION:
nosuchdomainexists.com.  4m51s IN NS  ns.above.net.
nosuchdomainexists.com.  4m51s IN NS  ns.eli.net.
;; ADDITIONAL SECTION:
ns.above.net.		22h35m53s IN A	207.126.96.162
ns.eli.net.		23h54m5s IN A	209.63.0.2
;; Total query time: 4 msec
;; FROM: upolu to SERVER: 172.25.1.104
;; WHEN: Fri Jul 13 11:58:24 2001
;; MSG SIZE  sent: 40  rcvd: 119

Fascinating.  Both of these nameservers say NXDOMAIN for
nosuchdomainexists.com, same as the gTLD servers.  Now check this out.  I
ask
my cache for the A record of the non-existent domain:

; <<>> DiG 8.1 <<>> @172.25.1.104 nosuchdomainexists.com. a
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;	nosuchdomainexists.com, type = A, class = IN
;; ANSWER SECTION:
nosuchdomainexists.com.  59m40s IN A  64.177.155.101
;; Total query time: 3 msec
;; FROM: upolu to SERVER: 172.25.1.104
;; WHEN: Fri Jul 13 11:58:47 2001
;; MSG SIZE  sent: 40  rcvd: 56

Once I have made this query, the Win2K cache has some different glue for it:

; <<>> DiG 8.1 <<>> @172.25.1.104 nosuchdomainexists.com. ns
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUERY SECTION:
;;	nosuchdomainexists.com, type = NS, class = IN
;; ANSWER SECTION:
nosuchdomainexists.com.  59m27s IN NS  dnsc.nsq.com.
;; ADDITIONAL SECTION:
dnsc.nsq.com.		59m38s IN A	66.34.52.233
;; Total query time: 13 msec
;; FROM: upolu to SERVER: 172.25.1.104
;; WHEN: Fri Jul 13 11:59:01 2001
;; MSG SIZE  sent: 40  rcvd: 79

Iiiiinteresting.  But what else is f'ed up here?  I ask my Win2K cache for
the address of a.gtld-servers.net and get back 66.34.52.224.   In fact, my
cache says all the gTLD servers have this address, except for
z.gtld-servers.net (yes, "z") for which it gives the address 198.41.3.40.
Non-existent gtld-servers.net get the address of the bigred.com website from
my Win2K cache.

Thing is, the nameserver at 66.34.52.224 is lame for names under
gtld-servers.net, and refers me back to the correct names and addresses for
the root zone.  It is also lame for the nosuchdomainexist.com name that I
was
testing with.

What gives????  How did my cache get poisoned, and how can the poisoning be
continuing to affect resolution this way, when none of the poisoned glue
appears to work at all??

I'm totally stumped.

- ---
ALL YOUR BASE ARE BELONG TO US
 SOMEBODY SET UP US THE BOMB

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBO09tr0ksS4VV8BvHEQK7owCgxXlaFfUUGpOdemmgBhXk9IH180cAn3oc
OjC8lHvY0wGs7J7FciTyZXmB
=dcfg
-----END PGP SIGNATURE-----

• Previous message (by thread): Cisco's connected->bgp redistribution
• Next message (by thread): When will 128M not be enough?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]