[aklug] Re: Munkeys can setup a bind DNS server

It's true, too.

For instance, which party caused this issue?

# now, this looks correct:

lobby:~# dig google.com
; <<>> DiG 9.2.4 <<>> google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46155 ;; flags: qr
rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 146 IN A 64.233.187.99
google.com. 146 IN A 72.14.207.99
google.com. 146 IN A 64.233.167.99

;; AUTHORITY SECTION:
google.com. 279878 IN NS ns1.google.com.
google.com. 279878 IN NS ns2.google.com.
google.com. 279878 IN NS ns3.google.com.
google.com. 279878 IN NS ns4.google.com.

But for www.google.com, the Authoritative Nameservers were reported as
JOMAX.NET

lobby:~# dig www.google.com

; <<>> DiG 9.2.4 <<>> www.google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17930 ;; flags: qr
rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 60 IN A 63.251.179.54

;; AUTHORITY SECTION:
www.google.com. 65535 IN NS WSC2.JOMAX.NET.
www.google.com. 65535 IN NS WSC1.JOMAX.NET.=20

So, who the heck is jomax.net, and why are they trying to steal=20
google's traffic?

The world may never know.

But anybody with dig and whois at their disposal would be able
to find this out and see that it's happening outside their sphere of
control.

> -----Original Message-----
> From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org]=20
> On Behalf Of Arthur Corliss
> Sent: Wednesday, March 26, 2008 2:58 PM
> To: dhull
> Cc: aklug@aklug.org
> Subject: [aklug] Re: Munkeys can setup a bind DNS server
>=20
> On Wed, 26 Mar 2008, dhull wrote:
>=20
> > I don't know what GCI is doing for DNS. I'm guessing their=20
> doing something extra. Either that or they have know idea how=20
> to setup DNS.
> >
> > 1. Install Linux
> > 2. Install BIND9
> > 3. Done!
> >
> > That's all it takes. By default BIND is a cashing name=20
> server. With a setup that's that simple there's no excuse for=20
> broken DNS.
>=20
> You're speaking out of your depth, Damien. A monkey can set=20
> up a DNS server that's still vulnerable to DNS cache=20
> poisoning and acting as an open recursive DNS server.
>=20
> A properly trained monkey, however, will set up their DNS=20
> with ACLs so that only their net blocks can use them for=20
> resolving queries. I'm willing to bet that if I examined=20
> your configuration I could point out lots of problems with your setup.
>=20
> Don't start slinging aspersions until you know for certain=20
> your monkey is house broken. And knows how to use a spell checker.
>=20
> --Arthur Corliss
> Live Free or Die
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org> with=20
> 'unsubscribe' in the message body.
>=20
>=20
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Mar 26 15:08:04 2008