[nsp-sec] GoDaddy DNS server "hijacking" .com ?
Johannes B. Ullrich
jullrich at sans.org
Wed Oct 8 10:48:55 EDT 2008
one of our readers had issues resolving www.checkpoint.com, and we narrowed it down to
ns51.domaincontrol.com and ns52.domaincontrol.com pretending to be '.com'. I am not sure if this is just by accident (the redirect sites just deliver the default GoDaddy parked page).
Is anybody from GoDaddy here to take a look? I am still trying to get more details to figure out why this users DNS server accepted the additional authority records.
dig www.yahoo.com @ns52.domaincontrol.com
; <<>> DiG 9.4.2-P1 <<>> www.yahoo.com @ns52.domaincontrol.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6236
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.yahoo.com. IN A
;; ANSWER SECTION:
www.yahoo.com. 3600 IN A 68.178.232.99
;; AUTHORITY SECTION:
com. 3600 IN NS ns51.domaincontrol.com.
com. 3600 IN NS ns52.domaincontrol.com.
;; Query time: 51 msec
;; SERVER: 208.109.255.26#53(208.109.255.26)
;; WHEN: Wed Oct 8 10:37:44 2008
;; MSG SIZE rcvd: 99
Network Security 2008 - Las Vegas, NV, Sept.28-Oct 6;
http://www.sans.org/info/30123
More information about the nsp-security
mailing list