<<< Date Index >>>     <<< Thread Index >>>

Re: International DNS compromise?



In-Reply-To: <20040805192243.7826e6b9.john@xxxxxxxxxxxxx>

This is from China's "Great Firewall" sniffering their 54Gbps International 
traffic. 

I presented some detailes at the HOPE conference in NYC last month. I posted 
the presentaion here: http://www.dit-inc.us/report/hope2004/cover.htm (click on 
the image to get in)

Regarding this DNS hijacking thing, it is worth mentioning that root DNS server 
in China may hijack query from neighbouring countries as well.

The black list for DNS hijacking is very small. TCP session hijacking list is 
longer, IP blocking blacklist is the longest.

Bill

>Received: (qmail 28891 invoked from network); 5 Aug 2004 18:45:36 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) 
>(205.206.231.27)
>  by mail.securityfocus.com with SMTP; 5 Aug 2004 18:45:36 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com 
>[205.206.231.20])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 03627236F36; Thu,  5 Aug 2004 12:47:21 -0600 (MDT)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 28021 invoked from network); 5 Aug 2004 12:14:21 -0000
>Date: Thu, 5 Aug 2004 19:22:43 +0100
>From: john <john@xxxxxxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: Re: International DNS compromise?
>Message-Id: <20040805192243.7826e6b9.john@xxxxxxxxxxxxx>
>In-Reply-To: <20040805051101.18767.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
>References: <Pine.LNX.4.58.0407232020010.3889@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>       <20040805051101.18767.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
>X-Mailer: Sylpheed version 0.8.11claws (GTK+ 1.2.10; i686-pc-linux-gnu)
>Mime-Version: 1.0
>Content-Type: text/plain; charset=US-ASCII
>Content-Transfer-Encoding: 7bit
>
>On Wed, 4 Aug 2004 22:11:01 -0700 (PDT)
>Zhen Shi <zhenshi99@xxxxxxxxx> wrote:
>
>> Dear all,
>>   Recently I noticed something fishy in the DNS system
>> between US and China. 
>>   First, any IPs, dead or live, in China will respond
>> to your DNS query for some domains. For example
>> (screen shot with some clean-up and comments): 
>> 
>> C:\>nslookup
>> 
>> > server 210.77.0.0     <=== pick a random IP     in
>> China 
>> Default Server:  [210.77.0.0]
>> Address:  210.77.0.0
>> 
>> > www.rfa.org
>> Server:  [210.77.0.0]
>> Address:  210.77.0.0
>> 
>> Non-authoritative answer:
>> Name:    www.rfa.org
>> Address:  203.105.1.21  <=== you got response!!!!
>> 
>>   Second, every time the response is different: 
>> 
>> > www.rfa.org
>> Server:  [210.77.0.0]
>> Address:  210.77.0.0
>> 
>> Non-authoritative answer:
>> Name:    www.rfa.org
>> Address:  64.66.163.251
>
>> <snip>
>
>It looks like it all works OK with most domain names. But rfa.org is the
>sort of site the Chinese would want to censor. Evidently this is part of
>their strategy for doing that.
>
>This has the side-effect that you could discover the list of sites being
>censored by systematically comparing DNS replies from a server in China
>with those from an uncompromised server.
>
>John
>