Level(3) DNS Spoofing All Domains

brent timothy saner brent.saner at gmail.com
Tue Nov 19 16:00:07 UTC 2019


On 11/18/19 12:45, Marshall, Quincy wrote:
> This is mostly informational and may have already hit this group. My
> google-foo failed me if so.
> 
>  
> 
> I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are
> spoofing all domains. If the hostname begins with a “w” and does not
> exist in the authoritative zone these hosts will return two Akamai hosts.
> 
>  
> 
> [root at localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
> 
> 23.202.231.167
> 
> 23.217.138.108
> 
> [root at localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
> 
> 23.202.231.167
> 
> 23.217.138.108
> 
> [root at localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
> 
> 23.202.231.167
> 
> 23.217.138.108
> 
> [root at localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
> 
> 23.202.231.167
> 
> 23.217.138.108
> 
>  
> 
> My apologies if this is old news.
> 
>  
> 
> *Lawrence Q. Marshall*
> 

Yep, old news. :) It's their "SearchGuide(TM)" nonsense.

You can opt out, but as of about 1.5? months ago it's almost impossible
to because the applet was serving a 500, and now it just refuses to work
*despite* serving a 200. And it's flaky as all else - when the applet
goes down, the resolvers take the ...aherm, "liberty" of automatically
enabling SearchGuide during the outage.

You can either attempt it via going to e.g.:
  http://searchguide.level3.com/search/?q=foo
and clicking the "Settings" link in the upper right. If you get "There
was a problem retrieving your settings from the server. Please try your
request again later.", then congrats! You won the prize of not being
able to change the redirect.

Alternatively, you can TRY running something like this:
https://pastebin.com/zktqqCxU but AGAIN, it depends on that endpoint
actually being *accessible*.

Which it increasingly is not.

I've moved on from level3 for resolvers; their reliability's been
declining but this nonsense just tanked them for me.
Lately I've been using Verisign's resolvers (64.6.64.6 and 64.6.65.6)
for upstream on my cachers, and I've been pretty pleased with it. They
seem to express a focus on privacy, which is nice, but most importantly-
records seem to get through unmolested, NXDOMAINs and all. Just as it
should be. ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20191119/1f8849d3/attachment.sig>


More information about the NANOG mailing list