Level(3) DNS Spoofing All Domains
Brandon Martin
lists.nanog at monmotha.net
Tue Nov 19 16:08:09 UTC 2019
On 11/18/19 12:45 PM, Marshall, Quincy wrote:
> I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are
> spoofing all domains. If the hostname begins with a “w” and does not
> exist in the authoritative zone these hosts will return two Akamai hosts.
As far as I know, this has been going on for quite some time at least
for folks not on Level3. I know I've seen it as far back as 5-7 years
ago from various vantage points.
I guess it's also possible somebody was intercepting those well known
anycast addresses between me and Level3, but the "search guide" it
redirected to didn't implicate any obvious suspects.
It fails DNSSEC checking, of course, so if you have DNSSEC validation
turned on at your recursive resolver, you should get something else
(probably SERVFAIL).
--
Brandon Martin
More information about the NANOG
mailing list