Level(3) DNS Spoofing All Domains

Pierre Emeriaud petrus.lt at gmail.com
Tue Nov 19 15:50:33 UTC 2019


Le mar. 19 nov. 2019 à 16:36, Marshall, Quincy
<Quincy.Marshall at reged.com> a écrit :
>
> I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.
>
> [root at localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
> 23.202.231.167
> 23.217.138.108

It depends of the server you're hitting:

>From AS3215 (.fr)
$ dig +short w3.dummydomaindoesntexist.org @4.2.2.2
23.217.138.108
23.202.231.167

$ dig +short caseraitvraimentconquilexiste.org @4.2.2.2
23.217.138.108
23.202.231.167

$ dig +short hostname.bind txt ch @4.2.2.2
"pubntp1.lon1.Level3.net"


>From AS16276 (.ca):
$ dig w3.dummydomaindoesntexist.org @4.2.2.2
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34998
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

$ dig +short hostname.bind txt ch @4.2.2.2
"cns4.nyc1.Level3.net"



More information about the NANOG mailing list