[nsp-sec] GoDaddy DNS server "hijacking" .com ?

Wed Oct 8 10:57:09 EDT 2008

It is not just .com, also .org.. 

dig @ns51.domaincontrol.com www.yahoo.org

; <<>> DiG 9.3.4 <<>> @ns51.domaincontrol.com www.yahoo.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1548
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.yahoo.org.                 IN      A

;; ANSWER SECTION:
www.yahoo.org.          3600    IN      A       68.178.232.99

;; AUTHORITY SECTION:
org.                    3600    IN      NS      ns51.domaincontrol.com.
org.                    3600    IN      NS      ns52.domaincontrol.com.

;; Query time: 129 msec
;; SERVER: 216.69.185.26#53(216.69.185.26)
;; WHEN: Wed Oct  8 17:55:53 2008
;; MSG SIZE  rcvd: 102

--Kauto
CERT-FI 

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Johannes B.
Ullrich
Sent: 8. lokakuuta 2008 17:49
To: nsp-security NSP
Subject: [nsp-sec] GoDaddy DNS server "hijacking" .com ?

----------- nsp-security Confidential --------

one of our readers had issues resolving www.checkpoint.com, and we
narrowed it down to 
ns51.domaincontrol.com and ns52.domaincontrol.com pretending to be
'.com'. I am not sure if this is just by accident (the redirect sites
just deliver the default GoDaddy parked page).

Is anybody from GoDaddy here to take a look? I am still trying to get
more details to figure out why this users DNS server accepted the
additional authority records.

dig www.yahoo.com @ns52.domaincontrol.com    

; <<>> DiG 9.4.2-P1 <<>> www.yahoo.com @ns52.domaincontrol.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6236
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.yahoo.com.			IN	A

;; ANSWER SECTION:
www.yahoo.com.		3600	IN	A	68.178.232.99

;; AUTHORITY SECTION:
com.			3600	IN	NS	ns51.domaincontrol.com.
com.			3600	IN	NS	ns52.domaincontrol.com.

;; Query time: 51 msec
;; SERVER: 208.109.255.26#53(208.109.255.26)
;; WHEN: Wed Oct  8 10:37:44 2008
;; MSG SIZE  rcvd: 99

Network Security 2008  - Las Vegas, NV, Sept.28-Oct 6;
http://www.sans.org/info/30123

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________