Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: International DNS compromise?
From: <bill () dit-inc us>
Date: 6 Aug 2004 20:05:09 -0000

In-Reply-To: <20040805192243.7826e6b9.john () pond-weed com>

This is from China's "Great Firewall" sniffering their 54Gbps International traffic. 

I presented some detailes at the HOPE conference in NYC last month. I posted the presentaion here: 
http://www.dit-inc.us/report/hope2004/cover.htm (click on the image to get in)

Regarding this DNS hijacking thing, it is worth mentioning that root DNS server in China may hijack query from 
neighbouring countries as well.

The black list for DNS hijacking is very small. TCP session hijacking list is longer, IP blocking blacklist is the 
longest.

Bill

Received: (qmail 28891 invoked from network); 5 Aug 2004 18:45:36 -0000
Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
 by mail.securityfocus.com with SMTP; 5 Aug 2004 18:45:36 -0000
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
      by outgoing3.securityfocus.com (Postfix) with QMQP
      id 03627236F36; Thu,  5 Aug 2004 12:47:21 -0600 (MDT)
Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq () securityfocus com>
List-Help: <mailto:bugtraq-help () securityfocus com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
Delivered-To: mailing list bugtraq () securityfocus com
Delivered-To: moderator for bugtraq () securityfocus com
Received: (qmail 28021 invoked from network); 5 Aug 2004 12:14:21 -0000
Date: Thu, 5 Aug 2004 19:22:43 +0100
From: john <john () pond-weed com>
To: bugtraq () securityfocus com
Subject: Re: International DNS compromise?
Message-Id: <20040805192243.7826e6b9.john () pond-weed com>
In-Reply-To: <20040805051101.18767.qmail () web13702 mail yahoo com>
References: <Pine.LNX.4.58.0407232020010.3889 () pluto physik uni-wuerzburg de>
      <20040805051101.18767.qmail () web13702 mail yahoo com>
X-Mailer: Sylpheed version 0.8.11claws (GTK+ 1.2.10; i686-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Wed, 4 Aug 2004 22:11:01 -0700 (PDT)
Zhen Shi <zhenshi99 () yahoo com> wrote:

Dear all,
  Recently I noticed something fishy in the DNS system
between US and China. 
  First, any IPs, dead or live, in China will respond
to your DNS query for some domains. For example
(screen shot with some clean-up and comments): 

C:\>nslookup

server 210.77.0.0     <=== pick a random IP     in
China 
Default Server:  [210.77.0.0]
Address:  210.77.0.0

www.rfa.org
Server:  [210.77.0.0]
Address:  210.77.0.0

Non-authoritative answer:
Name:    www.rfa.org
Address:  203.105.1.21  <=== you got response!!!!

  Second, every time the response is different: 

www.rfa.org
Server:  [210.77.0.0]
Address:  210.77.0.0

Non-authoritative answer:
Name:    www.rfa.org
Address:  64.66.163.251

<snip>

It looks like it all works OK with most domain names. But rfa.org is the
sort of site the Chinese would want to censor. Evidently this is part of
their strategy for doing that.

This has the side-effect that you could discover the list of sites being
censored by systematically comparing DNS replies from a server in China
with those from an uncompromised server.

John



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]