[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Level(3) DNS Spoofing All Domains

Subject: Level(3) DNS Spoofing All Domains
From: lists.nanog at monmotha.net (Brandon Martin)
Date: Tue, 19 Nov 2019 11:08:09 -0500
In-reply-to: <3438B611A2B2C04495EF0E1B25729C4633423A44@mbx032-e1-va-8.exch032.serverpod.net>
References: <3438B611A2B2C04495EF0E1B25729C4633423A44@mbx032-e1-va-8.exch032.serverpod.net>

On 11/18/19 12:45 PM, Marshall, Quincy wrote:
> I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are 
> spoofing all domains. If the hostname begins with a â??wâ?? and does not 
> exist in the authoritative zone these hosts will return two Akamai hosts.

As far as I know, this has been going on for quite some time at least 
for folks not on Level3.  I know I've seen it as far back as 5-7 years 
ago from various vantage points.

I guess it's also possible somebody was intercepting those well known 
anycast addresses between me and Level3, but the "search guide" it 
redirected to didn't implicate any obvious suspects.

It fails DNSSEC checking, of course, so if you have DNSSEC validation 
turned on at your recursive resolver, you should get something else 
(probably SERVFAIL).
-- 
Brandon Martin

References:
- Level(3) DNS Spoofing All Domains
  - From: Quincy.Marshall at reged.com (Marshall, Quincy)

Prev by Date: Level(3) DNS Spoofing All Domains
Next by Date: Level(3) DNS Spoofing All Domains
Previous by thread: Level(3) DNS Spoofing All Domains
Next by thread: OT: RE: Iran cuts 95% of Internet traffic
Index(es):
- Date
- Thread