RE: International DNS compromise?

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: International DNS compromise?
From: Troy Monaghen <troy@xxxxxxxxxxxx>
Date: Fri, 06 Aug 2004 09:57:44 -0500
In-reply-to: <0836CFF5FAD5D4118E2300508BD97A83D917E9@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <0836CFF5FAD5D4118E2300508BD97A83D917E9@xxxxxxxxxxxxxxxxx>

On Thu, 2004-08-05 at 12:37, travis.alexander@xxxxxxxxxxx wrote:
> I got six different results, meaning six different server IP's.

> -----Original Message-----
> From: Zhen Shi [mailto:zhenshi99@xxxxxxxxx]
>
> Dear all,
>   Recently I noticed something fishy in the DNS system
> between US and China. 

Looks like rfa.org uses Speedera (see the log of finding and querying
the authoritative name servers below).  To quote from their web site at
http://www.speedera.com/primary/Tech/Over.htm : "Speedera's highly
distributed, robust network relies on a worldwide set of probes and
global traffic managers to make real-time decisions to intelligently
route users' requests to the best location and best server."

It sounds like this is just part of Speedera's attempt to route users to
the appropriate server.

$ whois rfa.org
 ...
Name Server:DNSAUTH1.SYS.GTEI.NET
Name Server:DNSAUTH2.SYS.GTEI.NET
Name Server:DNSAUTH3.SYS.GTEI.NET

$ host www.rfa.org DNSAUTH1.SYS.GTEI.NET
 ...
www.rfa.org is an alias for www.rfaweb.org.

$ whois rfaweb.org
 ...
Name Server:DNS31.REGISTER.COM
Name Server:DNS32.REGISTER.COM

$ host www.rfaweb.org DNS31.REGISTER.COM
 ...
www.rfaweb.org is an alias for rfa.speedera.net.

$ whois speedera.net
 ...
   Domain servers in listed order:
   Q.SPEEDERA.NET                                    64.41.192.113
   L.SPEEDERA.NET                                    64.0.96.22
   N.SPEEDERA.NET                                    65.169.170.140
   F.SPEEDERA.NET                                    210.224.186.3
   A.SPEEDERA.NET                                    208.185.54.61
   H.SPEEDERA.NET                                    64.14.117.35
   Y.SPEEDERA.NET                                    212.187.170.30
   Z.SPEEDERA.NET                                    216.200.69.12

$ host rfa.speedera.net Q.SPEEDERA.NET
 ...
rfa.speedera.net has address 208.254.75.133
rfa.speedera.net has address 66.7.159.165

$ host rfa.speedera.net L.SPEEDERA.NET
 ...
rfa.speedera.net has address 64.37.246.4
rfa.speedera.net has address 64.37.246.3

$ host rfa.speedera.net N.SPEEDERA.NET
 ...
rfa.speedera.net has address 65.216.78.76
rfa.speedera.net has address 64.37.246.4

$ host rfa.speedera.net F.SPEEDERA.NET
 ...
rfa.speedera.net has address 65.216.78.76
rfa.speedera.net has address 64.37.246.4

$ host rfa.speedera.net A.SPEEDERA.NET
 ...
rfa.speedera.net has address 65.216.78.76
rfa.speedera.net has address 64.28.86.231

$ host rfa.speedera.net  H.SPEEDERA.NET
 ...
rfa.speedera.net has address 65.216.78.76
rfa.speedera.net has address 64.156.240.39

$ host rfa.speedera.net  Y.SPEEDERA.NET
 ...
rfa.speedera.net has address 216.74.133.196
rfa.speedera.net has address 64.156.240.39

$ host rfa.speedera.net Z.SPEEDERA.NET
 ...
rfa.speedera.net has address 64.156.240.39
rfa.speedera.net has address 216.74.133.196

--
Troy

References:
- RE: International DNS compromise?
  - From: travis . alexander

Prev by Date: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Next by Date: Re: International DNS compromise?
Previous by thread: RE: International DNS compromise?
Next by thread: Re: International DNS compromise?
Index(es):
- Date
- Thread