Level(3) DNS Spoofing All Domains

• Previous message (by thread): Level(3) DNS Spoofing All Domains
• Next message (by thread): Level(3) DNS Spoofing All Domains
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is was my thought as well. People always get up in arms about how it's
"Public DNS!" but it's really not. It's just well known and used because
it's easy to remember.

- Mike Bolitho


On Tue, Nov 19, 2019 at 9:28 AM Ryan, Spencer <spencer.ryan at netscout.com>
wrote:

> Are you a CL/L3 customer? Those resolvers have only ever been for
> “customers” even though they would resolve for anyone. They started
> injecting NXDOMAIN redirects a while ago for non-customers.
>
>
>
>
>
> *From:* NANOG <nanog-bounces at nanog.org> *On Behalf Of *Marshall, Quincy
> *Sent:* Monday, November 18, 2019 12:45 PM
> *Subject:* Level(3) DNS Spoofing All Domains
>
>
>
> This message originated outside of NETSCOUT. Do not click links or open
> attachments unless you recognize the sender and know the content is safe.
>
> This is mostly informational and may have already hit this group. My
> google-foo failed me if so.
>
>
>
> I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are
> spoofing all domains. If the hostname begins with a “w” and does not exist
> in the authoritative zone these hosts will return two Akamai hosts.
>
>
>
> [root at localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
> [root at localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
> [root at localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
> [root at localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
>
>
> My apologies if this is old news.
>
>
>
> *Lawrence Q. Marshall*
>
>
>
>
> ------------------------------
>
> This email has been scanned for email related threats and delivered safely
> by Mimecast.
> For more information please visit http://www.mimecast.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mimecast.com&d=DwMFaQ&c=Hlvprqonr5LuCN9TN65xNw&r=VfFQaWKwN0L3efDXtkWoSUKlJtu8LJ9Ke5bevkfX6C0&m=q6vn3t-QWxYOtFEQ5UhCttLDcerYncizhmA0BXauzSg&s=0udD7os_Gb1eyxuW47ezLZB2f-gk_Ipxso3m4n80kqg&e=>
> ------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20191119/11f918d5/attachment.html>

• Previous message (by thread): Level(3) DNS Spoofing All Domains
• Next message (by thread): Level(3) DNS Spoofing All Domains
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]