New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Level 3 Public DNS (4.2.2.x) now hijacks NXDOMAIN results
Stumbled upon this randomly:
# host sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com 4.2.2.3 Using domain server: Name: 4.2.2.3 Address: 4.2.2.3#53 Aliases: sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com has address 104.239.213.7 sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com has address 198.105.254.11 Host sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com not found: 3(NXDOMAIN)
They now reply with this set of IPs to any query that would return a "nonexistent domain" result. One IP is at Rackspace, and the other is from "searchguideinc.com".
And just the other day I was reading https://www.grc.com/dns/alternatives.htm, which praised them with "Level3 has never played any games with DNS, and it's impossible to imagine that they ever would" -- so much for that.
Time to migrate (if anyone used them) to some other NSes from the list on that page, or better yet, consider running your own, it's quite simple with Unbound.
Comments
sdfjnbsdifndsigubsdigbdfiugbdiubgdifugbdiofgbodinfidnofgindf.com is available!
$7
Not this again.
Francisco
I've fixed it for you, no problem!
Haven't they done this for some time now?
Are you sure?
@ricardo and try 4.2.2.2 or 4.2.2.4:
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15932
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;asdadsadsadsadaskkkkkkkkkkgg.com. IN A
asdadsadsadsadaskkkkkkkkkkgg.com. 10 IN A 198.105.254.11
asdadsadsadsadaskkkkkkkkkkgg.com. 10 IN A 198.105.244.11
;; SERVER: 4.2.2.4#53(4.2.2.4)
;; WHEN: Fri Apr 22 17:04:55 YEKT 2016
;; MSG SIZE rcvd: 82
.
Maybe, and perhaps that article is outdated, but I also thought it's unlikely they would (ever) do that.
NXDOMAIN for all 3 IPs. Maybe a geo-specific thing happening? I'm in the UK
They have experimented with this and done it for years now. They started hijacking all queries, then they stopped and now they hijack based on the geographic location of the client. That's why @ricardo doesn't get hijacked but @rm_ does.
I maintain a list of open anycast recursors which don't suck. I only know about four different ones at the moment:
https://wiki.nyr.es/dns_publicos
We discussed this some weeks ago:
https://www.lowendtalk.com/discussion/comment/1640641/#Comment_1640641
I'm seeing hijacking from all locations I have access to, i.e. Japan, France and Russia.
You are right, I can confirm. Looks like it's happening "nearly everywhere" now. Anyway they have changed this many times already and they clearly want some money from it.
I tried from France too (OVH) and got NXDOMAIN. I do have a bunch of other locations to try from. Maybe not geo-specific but subnet.
I'm not getting that from my VM in Dallas (CC network).
Mine OVH VPS with geo-ip to France.
:~$ dig @4.2.2.3 asdadsadsadsadaskkkkkkkkkkgg.com +short 198.105.254.11 198.105.244.11
Slowly claps @cassa
if anyone feels bored enough - cause I just woke up & am - wants to explain what exactly that means & why is it bad?
cheerio
https://en.wikipedia.org/wiki/DNS_hijacking
For the most part it's not a big deal. The rest of the article explains the motives. If I had a list of domains and wanted to see which ones have expired, then it's important that NXDOMAIN is returned. It's generally considered bad form to tamper with the 'correct' response.
Ah thank you very much, I think I remember now I was quite annoyed some years ago when I used opendns and when I misstyped the domain I would get some opendns page, which is the case of the above.
You mentioned here about Google DNS has some issues over the year, may I know more details on this? My infra is relying on Google DNS and we are hoping nothing disruptive will happen soon
You can read the linked OP to learn about one of the issues. They've also had some downtime in my country as the result of not using different routing for each NS and they have also banned some networks (I guess as the result of "excessive" usage from some of the customers.
I'd suggest you to use both Google and other, alternative NS. NTT or HE are good contenders for example. And if you are doing a big volume of queries, consider running your own.
From Montreal:
I do not remember L3 not doing it here.
Sadly my ISP has their own Google cache servers that they force you to use when using their DNS and they are regularely overloaded.
Otherwise my IPSs DNS would be fine.
You could set up a VPN (such as Tinc) to your servers, then install Unbound on those, and use them through the VPN as resolvers for home machines. That's what I do to evade faked (for censorship) DNS replies from my ISP.
This. They've been doing it for well over a year now. If you are just now noticing this then maybe it isn't such a problem for you? Anyway if you care and want a somewhat decent alternative from not-google Verisign runs a public DNS service as well since a few months ago https://www.verisign.com/en_US/innovation/public-dns/index.xhtml.
Oh Dam!