Level(3) DNS Spoofing All Domains
Cary Wiedemann
carywiedemann at gmail.com
Tue Nov 19 15:48:30 UTC 2019
Wow, news to me, and it's worse than you thought. They're spoofing
responses for ALL non-existent domains, not just those starting with a "w":
langsam:~# whois unregistereddomaintest.com | head -1
No match for "UNREGISTEREDDOMAINTEST.COM".
langsam:~# dig +short a unregistereddomaintest.com @4.2.2.2
23.202.231.167
23.217.138.108
langsam:~# dig +short a unregistereddomaintest.mil @4.2.2.2
23.202.231.167
23.217.138.108
I can't get an NXDOMAIN result from 4.2.2.2 at all.
Good to know. Time to reconfigure 10,000 firewalls.
Thank you Lawrence.
- Cary Wiedemann
On Tue, Nov 19, 2019 at 10:35 AM Marshall, Quincy <Quincy.Marshall at reged.com>
wrote:
> This is mostly informational and may have already hit this group. My
> google-foo failed me if so.
>
>
>
> I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are
> spoofing all domains. If the hostname begins with a “w” and does not exist
> in the authoritative zone these hosts will return two Akamai hosts.
>
>
>
> [root at localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
> [root at localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
> [root at localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
> [root at localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
>
>
> My apologies if this is old news.
>
>
>
> *Lawrence Q. Marshall*
>
>
>
>
> ------------------------------
> This email has been scanned for email related threats and delivered safely
> by Mimecast.
> For more information please visit http://www.mimecast.com
> ------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20191119/ef4bdef7/attachment.html>
More information about the NANOG
mailing list