Level(3) DNS Spoofing All Domains

Brandon Martin lists.nanog at monmotha.net
Tue Nov 19 16:08:09 UTC 2019


On 11/18/19 12:45 PM, Marshall, Quincy wrote:
> I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are 
> spoofing all domains. If the hostname begins with a “w” and does not 
> exist in the authoritative zone these hosts will return two Akamai hosts.

As far as I know, this has been going on for quite some time at least 
for folks not on Level3.  I know I've seen it as far back as 5-7 years 
ago from various vantage points.

I guess it's also possible somebody was intercepting those well known 
anycast addresses between me and Level3, but the "search guide" it 
redirected to didn't implicate any obvious suspects.

It fails DNSSEC checking, of course, so if you have DNSSEC validation 
turned on at your recursive resolver, you should get something else 
(probably SERVFAIL).
-- 
Brandon Martin



More information about the NANOG mailing list