Level(3) DNS Spoofing All Domains
Pierre Emeriaud
petrus.lt at gmail.com
Tue Nov 19 15:50:33 UTC 2019
Le mar. 19 nov. 2019 à 16:36, Marshall, Quincy
<Quincy.Marshall at reged.com> a écrit :
>
> I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.
>
> [root at localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
> 23.202.231.167
> 23.217.138.108
It depends of the server you're hitting:
>From AS3215 (.fr)
$ dig +short w3.dummydomaindoesntexist.org @4.2.2.2
23.217.138.108
23.202.231.167
$ dig +short caseraitvraimentconquilexiste.org @4.2.2.2
23.217.138.108
23.202.231.167
$ dig +short hostname.bind txt ch @4.2.2.2
"pubntp1.lon1.Level3.net"
>From AS16276 (.ca):
$ dig w3.dummydomaindoesntexist.org @4.2.2.2
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34998
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
$ dig +short hostname.bind txt ch @4.2.2.2
"cns4.nyc1.Level3.net"
More information about the NANOG
mailing list