Received: (qmail 28891 invoked from network); 5 Aug 2004 18:45:36 -0000
Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (22.214.171.124)
by mail.securityfocus.com with SMTP; 5 Aug 2004 18:45:36 -0000
Received: from lists2.securityfocus.com (lists2.securityfocus.com [126.96.36.199])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 03627236F36; Thu, 5 Aug 2004 12:47:21 -0600 (MDT)
Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
List-Post: <mailto:bugtraq () securityfocus com>
List-Help: <mailto:bugtraq-help () securityfocus com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
Delivered-To: mailing list bugtraq () securityfocus com
Delivered-To: moderator for bugtraq () securityfocus com
Received: (qmail 28021 invoked from network); 5 Aug 2004 12:14:21 -0000
Date: Thu, 5 Aug 2004 19:22:43 +0100
From: john <john () pond-weed com>
To: bugtraq () securityfocus com
Subject: Re: International DNS compromise?
Message-Id: <20040805192243.7826e6b9.john () pond-weed com>
In-Reply-To: <20040805051101.18767.qmail () web13702 mail yahoo com>
References: <Pine.LNX.4.58.0407232020010.3889 () pluto physik uni-wuerzburg de>
<20040805051101.18767.qmail () web13702 mail yahoo com>
X-Mailer: Sylpheed version 0.8.11claws (GTK+ 1.2.10; i686-pc-linux-gnu)
Content-Type: text/plain; charset=US-ASCII
On Wed, 4 Aug 2004 22:11:01 -0700 (PDT)
Zhen Shi <zhenshi99 () yahoo com> wrote:
Recently I noticed something fishy in the DNS system
between US and China.
First, any IPs, dead or live, in China will respond
to your DNS query for some domains. For example
(screen shot with some clean-up and comments):
server 188.8.131.52 <=== pick a random IP in
Default Server: [184.108.40.206]
Address: 220.127.116.11 <=== you got response!!!!
Second, every time the response is different:
It looks like it all works OK with most domain names. But rfa.org is the
sort of site the Chinese would want to censor. Evidently this is part of
their strategy for doing that.
This has the side-effect that you could discover the list of sites being
censored by systematically comparing DNS replies from a server in China
with those from an uncompromised server.