Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Level 3 Public DNS (4.2.2.x) now hijacks NXDOMAIN results
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Level 3 Public DNS (4.2.2.x) now hijacks NXDOMAIN results

rm_rm_ IPv6 Advocate, Veteran
edited April 2016 in General

Stumbled upon this randomly:

# host sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com 4.2.2.3
Using domain server:
Name: 4.2.2.3
Address: 4.2.2.3#53
Aliases: 

sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com has address 104.239.213.7
sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com has address 198.105.254.11
Host sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com not found: 3(NXDOMAIN)

They now reply with this set of IPs to any query that would return a "nonexistent domain" result. One IP is at Rackspace, and the other is from "searchguideinc.com".

And just the other day I was reading https://www.grc.com/dns/alternatives.htm, which praised them with "Level3 has never played any games with DNS, and it's impossible to imagine that they ever would" -- so much for that.

Time to migrate (if anyone used them) to some other NSes from the list on that page, or better yet, consider running your own, it's quite simple with Unbound.

Comments

  • sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com is available!

    $7

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    Not this again.

    Francisco

    Thanked by 3dedicados GCat lbft
  • cassacassa Member
    edited April 2016

    I've fixed it for you, no problem!

    Thanked by 3rm_ GCat Tom
  • Haven't they done this for some time now?

  • cassacassa Member

    @dedicados said:
    sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com is available!

    $7

    Are you sure?

  • #:~$ dig @4.2.2.3 asdadsadsadsadaskkkkkkkkkkgg.com
    
    ; <<>> DiG 9.9.5-9-Ubuntu <<>> @4.2.2.3 asdadsadsadsadaskkkkkkkkkkgg.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13653
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;asdadsadsadsadaskkkkkkkkkkgg.com. IN   A
    
    ;; AUTHORITY SECTION:
    com.            900 IN  SOA a.gtld-servers.net. nstld.verisign-grs.com. 1461326389 1800 900 604800 86400
    
    ;; Query time: 52 msec
    ;; SERVER: 4.2.2.3#53(4.2.2.3)
    ;; WHEN: Fri Apr 22 13:00:27 BST 2016
    ;; MSG SIZE  rcvd: 126
    
  • rm_rm_ IPv6 Advocate, Veteran
    edited April 2016

    @ricardo and try 4.2.2.2 or 4.2.2.4:

    $ dig @4.2.2.4 asdadsadsadsadaskkkkkkkkkkgg.com

    ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @4.2.2.4 asdadsadsadsadaskkkkkkkkkkgg.com

    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15932
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:

    ;asdadsadsadsadaskkkkkkkkkkgg.com. IN A

    ;; ANSWER SECTION:

    asdadsadsadsadaskkkkkkkkkkgg.com. 10 IN A 198.105.254.11
    asdadsadsadsadaskkkkkkkkkkgg.com. 10 IN A 198.105.244.11

    ;; Query time: 168 msec

    ;; SERVER: 4.2.2.4#53(4.2.2.4)
    ;; WHEN: Fri Apr 22 17:04:55 YEKT 2016
    ;; MSG SIZE rcvd: 82

    .

    linuxthefish said: Haven't they done this for some time now?

    Maybe, and perhaps that article is outdated, but I also thought it's unlikely they would (ever) do that.

  • ricardoricardo Member
    edited April 2016

    NXDOMAIN for all 3 IPs. Maybe a geo-specific thing happening? I'm in the UK

  • NyrNyr Community Contributor, Veteran

    They have experimented with this and done it for years now. They started hijacking all queries, then they stopped and now they hijack based on the geographic location of the client. That's why @ricardo doesn't get hijacked but @rm_ does.

    I maintain a list of open anycast recursors which don't suck. I only know about four different ones at the moment:
    https://wiki.nyr.es/dns_publicos

    We discussed this some weeks ago:
    https://www.lowendtalk.com/discussion/comment/1640641/#Comment_1640641

    Thanked by 1netomx
  • rm_rm_ IPv6 Advocate, Veteran

    ricardo said: Maybe a geo-specific thing happening? I'm in the UK

    I'm seeing hijacking from all locations I have access to, i.e. Japan, France and Russia.

  • NyrNyr Community Contributor, Veteran

    rm_ said: I'm seeing hijacking from all locations I have access to, i.e. Japan, France and Russia.

    You are right, I can confirm. Looks like it's happening "nearly everywhere" now. Anyway they have changed this many times already and they clearly want some money from it.

  • rm_ said: I'm seeing hijacking from all locations I have access to, i.e. Japan, France and Russia.

    I tried from France too (OVH) and got NXDOMAIN. I do have a bunch of other locations to try from. Maybe not geo-specific but subnet.

  • blackblack Member
    edited April 2016

    I'm not getting that from my VM in Dallas (CC network).

    host sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com 4.2.2.3
    Using domain server:
    Name: 4.2.2.3
    Address: 4.2.2.3#53
    Aliases: 
    
    Host sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com not found: 2(SERVFAIL)
    
  • JabJabJabJab Member
    edited April 2016

    ricardo said: I tried from France too (OVH) and got NXDOMAIN.

    Mine OVH VPS with geo-ip to France.

    :~$ dig @4.2.2.3 asdadsadsadsadaskkkkkkkkkkgg.com +short 198.105.254.11 198.105.244.11

  • rm_rm_ IPv6 Advocate, Veteran

    black said: I'm not getting that from my VM in Dallas (CC network).

    Slowly claps @cassa

    Thanked by 1cassa
  • NihimNihim Member

    if anyone feels bored enough - cause I just woke up & am - wants to explain what exactly that means & why is it bad?

    cheerio

  • ricardoricardo Member
    edited April 2016

    Nihim said: if anyone feels bored enough - cause I just woke up & am - wants to explain what exactly that means & why is it bad?

    One of the functions of a DNS server is to translate a domain name into an IP address that applications need to connect to an Internet resource such as a website. This functionality is defined in various formal internet standards that define the protocol in considerable detail. DNS servers are implicitly trusted by internet-facing computers and users to correctly resolve names to the actual addresses that are registered by the owners of an internet domain.

    https://en.wikipedia.org/wiki/DNS_hijacking

    For the most part it's not a big deal. The rest of the article explains the motives. If I had a list of domains and wanted to see which ones have expired, then it's important that NXDOMAIN is returned. It's generally considered bad form to tamper with the 'correct' response.

    Thanked by 1Nihim
  • NihimNihim Member

    Ah thank you very much, I think I remember now I was quite annoyed some years ago when I used opendns and when I misstyped the domain I would get some opendns page, which is the case of the above.

  • lifehomelifehome Member
    edited April 2016

    Nyr said: We discussed this some weeks ago:

    You mentioned here about Google DNS has some issues over the year, may I know more details on this? My infra is relying on Google DNS and we are hoping nothing disruptive will happen soon D:

  • NyrNyr Community Contributor, Veteran

    @lifehome said:

    Nyr said: We discussed this some weeks ago:

    You mentioned here about Google DNS has some issues over the year, may I know more details on this? My infra is relying on Google DNS and we are hoping nothing disruptive will happen soon D:

    You can read the linked OP to learn about one of the issues. They've also had some downtime in my country as the result of not using different routing for each NS and they have also banned some networks (I guess as the result of "excessive" usage from some of the customers.

    I'd suggest you to use both Google and other, alternative NS. NTT or HE are good contenders for example. And if you are doing a big volume of queries, consider running your own.

    Thanked by 1lifehome
  • gestiondbigestiondbi Member, Patron Provider

    From Montreal:

    host sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com 4.2.2.3
    Using domain server:
    Name: 4.2.2.3
    Address: 4.2.2.3#53
    Aliases: 
    
    sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com has address 198.105.254.11
    sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com has address 104.239.213.7
    Host sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com not found: 3(NXDOMAIN)
    
    host sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com 8.8.8.8
    Using domain server:
    Name: 8.8.8.8
    Address: 8.8.8.8#53
    Aliases: 
    
    Host sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com not found: 3(NXDOMAIN)
    

    I do not remember L3 not doing it here.

  • tr1ckytr1cky Member
    edited April 2016

    Sadly my ISP has their own Google cache servers that they force you to use when using their DNS and they are regularely overloaded.
    Otherwise my IPSs DNS would be fine.

  • rm_rm_ IPv6 Advocate, Veteran

    tr1cky said: Sadly my ISP has their own Google cache servers that they force you to use when using their DNS

    You could set up a VPN (such as Tinc) to your servers, then install Unbound on those, and use them through the VPN as resolvers for home machines. That's what I do to evade faked (for censorship) DNS replies from my ISP.

  • SetsuraSetsura Member
    edited April 2016

    @linuxthefish said:
    Haven't they done this for some time now?

    This. They've been doing it for well over a year now. If you are just now noticing this then maybe it isn't such a problem for you? Anyway if you care and want a somewhat decent alternative from not-google Verisign runs a public DNS service as well since a few months ago https://www.verisign.com/en_US/innovation/public-dns/index.xhtml.

  • letboxletbox Member, Patron Provider

    Oh Dam!

  • TomTom Member
    edited April 2016
    [kappa ~] dig @4.2.2.4 eghiuvughtvgitrhuytghtirgiuhtu456yu.com
    
    ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @4.2.2.4 eghiuvughtvgitrhuytghtirgiuhtu456yu.com
    ;; QUESTION SECTION:
    ;eghiuvughtvgitrhuytghtirgiuhtu456yu.com. IN A
    
    ;; ANSWER SECTION:
    eghiuvughtvgitrhuytghtirgiuhtu456yu.com. 10 IN A 198.105.254.11
    eghiuvughtvgitrhuytghtirgiuhtu456yu.com. 10 IN A 198.105.244.11
    
Sign In or Register to comment.