Home page logo

nanog logo nanog mailing list archives

Re: Need help in flushing DNS
From: Glen Kent <glen.kent () gmail com>
Date: Sat, 22 Jun 2013 05:52:11 +0530


Do we know which DNS server started leaking the poisoned entry?

Being new to this, i still dont understand how could a hacker gain access
to the DNS server and corrupt the entry there? Wouldnt it require special
admin rights, etc. to log in?


On Thu, Jun 20, 2013 at 11:32 AM, Paul Ferguson <fergdawgster () gmail com>wrote:

Hanlon's razor? Misconfiguration. Perhaps not done in malice, but I
have no idea where the poison leaked in, or why. :-)

- ferg

On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie <alex.buie () frozenfeline net>

Anyone have news/explanation about what's happening/happened?

On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson <fergdawgster () gmail com

Sure enough:

 ; <<>> DiG 9.7.3 <<>> @localhost yelp.com A
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

 ;yelp.com. IN A

 yelp.com. 300 IN A

 ;; Query time: 143 msec
 ;; WHEN: Thu Jun 20 07:33:13 2013
 ;; MSG SIZE  rcvd: 42

NetRange: -
OriginAS: AS40034
NetHandle: NET-204-11-56-0-1
Parent: NET-204-0-0-0-0
NetType: Direct Allocation
Comment: Hosted in Austin TX.
Comment: Abuse :
Comment: abuse () confluence-networks com
Comment: +1-917-386-6118
RegDate: 2012-09-24
Updated: 2012-09-24
Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1

OrgName: Confluence Networks Inc
OrgId: CN
Address: 3rd Floor, Omar Hodge Building, Wickhams
Address: Cay I, P.O. Box 362
City: Road Town
StateProv: Tortola
PostalCode: VG1110
Country: VG
RegDate: 2011-04-07
Updated: 2011-07-05
Ref: http://whois.arin.net/rest/org/CN

OrgAbuseHandle: ABUSE3065-ARIN
OrgAbuseName: Abuse Admin
OrgAbusePhone: +1-917-386-6118
OrgAbuseEmail: abuse () confluence-networks com
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN

OrgNOCName: NOC Admin
OrgNOCPhone: +1-415-462-7734
OrgNOCEmail: noc () confluence-networks com
OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN

OrgTechHandle: TECHA29-ARIN
OrgTechName: Tech Admin
OrgTechPhone: +1-415-358-0858
OrgTechEmail: ipadmin () confluence-networks com
OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN

# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html

- ferg

On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder <shortdudey123 () gmail com


Yelp is evidently also affected

On Wed, Jun 19, 2013 at 10:19 PM, John Levine <johnl () iecc com> wrote:

Reaching out to DNS operators around the globe. Linkedin.com has had
issues with DNS
and would like DNS operators to flush their DNS. If you see
www.linkedin.com resolving NS to
ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.

Any other info please reach out to me off-list.

While you're at it, www.usps.com, www.fidelity.com, and other well
known sites have had DNS poisoning problems.  When I restarted my
cache, they look OK.

"Fergie", a.k.a. Paul Ferguson

"Fergie", a.k.a. Paul Ferguson

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]