The weak link? DNS

Sean Donelan sean at donelan.com
Wed Mar 26 09:09:06 UTC 2003


Watching the Iraqi Ururklink and Al Jazeera over the weekend what struck
me is how many different ways network administrators can mess up.
Although malicious actors have been trying (and succeeding) to exploit
vulnerabilities, the worst problems seem to be self-inflicted.

Administrators had used firewalls and locked down their web sites,
sometimes so well they couldn't handle the traffic load.

But the real weak link was their DNS servers.

For example, Al Jazeera had time-to-live set of their domain records set
to 15 minutes, making them even more vulnerable to increasing the load
on their systems.  Of course, Al Jazeera had other problems too.

What even stranger about the Iraqi state provider Uruklink.net is the DNS
servers are now self-identifying with earlier (with known bugs) versions
of BIND.  Last week the Uruklink name server 62.145.94.1 was running
8.2.2-P5, but now is running 8.1.2.  Although the web site for
www.uruklink.net is up, DNS lookups for www.uruklink.net return various
other IP addresses (not in 62.145.94.0/24).  Including some addresses
running web sites claiming the site is "owned." In reality, the site
isn't owned, you are being redirected to a unrelated web site.




More information about the NANOG mailing list