Promosis? Who are these guys?

Florian Weimer fw at deneb.enyo.de
Wed Apr 20 09:11:10 UTC 2005


* Suresh Ramasubramanian:

> Any idea?

SANS would call this a DNS cache poisoning attack.  8-) It seems that
ns*.dnsauthority.com uses the shortcut I mentioned earlier.

; <<>> DiG 9.2.4 <<>> @ns4.dnsauthority.com de ns
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31561
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;de.                            IN      NS

;; ANSWER SECTION:
de.                     14400   IN      NS      ns4.dnsauthority.com.
de.                     14400   IN      NS      ns5.dnsauthority.com.

;; Query time: 120 msec
;; SERVER: 66.151.179.138#53(ns4.dnsauthority.com)
;; WHEN: Wed Apr 20 11:08:47 2005
;; MSG SIZE  rcvd: 72

; <<>> DiG 9.2.4 <<>> @ns4.dnsauthority.com enyo.de
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4729
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;enyo.de.                       IN      A

;; ANSWER SECTION:
enyo.de.                14400   IN      A       66.151.179.147

;; AUTHORITY SECTION:
de.                     14400   IN      NS      ns4.dnsauthority.com.
de.                     14400   IN      NS      ns5.dnsauthority.com.

;; Query time: 115 msec
;; SERVER: 66.151.179.138#53(ns4.dnsauthority.com)
;; WHEN: Wed Apr 20 11:10:50 2005
;; MSG SIZE  rcvd: 93



More information about the NANOG mailing list