nanog mailing list archives

Re: Level(3) DNS Spoofing All Domains

From: Pierre Emeriaud <petrus.lt () gmail com>
Date: Tue, 19 Nov 2019 16:50:33 +0100

Le mar. 19 nov. 2019 à 16:36, Marshall, Quincy
<Quincy.Marshall () reged com> a écrit :


I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins 
with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.

[root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
23.202.231.167
23.217.138.108


It depends of the server you're hitting:

From AS3215 (.fr)

$ dig +short w3.dummydomaindoesntexist.org @4.2.2.2
23.217.138.108
23.202.231.167

$ dig +short caseraitvraimentconquilexiste.org @4.2.2.2
23.217.138.108
23.202.231.167

$ dig +short hostname.bind txt ch @4.2.2.2
"pubntp1.lon1.Level3.net"

From AS16276 (.ca):

$ dig w3.dummydomaindoesntexist.org @4.2.2.2
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34998
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

$ dig +short hostname.bind txt ch @4.2.2.2
"cns4.nyc1.Level3.net"

Current thread:

Level(3) DNS Spoofing All Domains Marshall, Quincy (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Pierre Emeriaud (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Patrick Schultz (Nov 19)
  - Re: Level(3) DNS Spoofing All Domains Matthew Pounsett (Nov 19)
    - Re: Level(3) DNS Spoofing All Domains Mel Beckman (Nov 19)
    - Re: Level(3) DNS Spoofing All Domains Christopher Morrow (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Brandon Martin (Nov 19)
- RE: Level(3) DNS Spoofing All Domains Ryan, Spencer (Nov 19)
  - RE: Level(3) DNS Spoofing All Domains Marshall, Quincy (Nov 19)
  - Re: Level(3) DNS Spoofing All Domains Mike Bolitho (Nov 19)
    - RE: Level(3) DNS Spoofing All Domains Marshall, Quincy (Nov 19)
    - Re: Level(3) DNS Spoofing All Domains Mike Bolitho (Nov 19)

(Thread continues...)