ICANN/GNSO GNSO Email List Archives

[ga]

<<< Chronological Index >>>    <<< Thread Index >>>

[ga] Re: Rogue (Fraudulent) DNS Servers?

  • To: "Stephane Bortzmeyer" <bortzmeyer@xxxxxx>
  • Subject: [ga] Re: Rogue (Fraudulent) DNS Servers?
  • From: "Matthew Pemble" <matthew@xxxxxxxxxx>
  • Date: Wed, 12 Dec 2007 10:11:07 +0000
Stephane (et al)

On 12/12/2007, Stephane Bortzmeyer <bortzmeyer@xxxxxx> wrote:
>
> On Wed, Dec 12, 2007 at 09:12:21AM +0000,
> Matthew Pemble <matthew@xxxxxxxxxx> wrote
> a message of 140 lines which said:
>
> > I assume we will actually have to wait for the survey
>
> Yes, because the IDG paper is mostly crap. Other reports from Dagon
> were very good.
>
> > Georgia Tech's and Google's researchers estimate that as many as 0.4
> > percent, or 68,000, open-recursive DNS servers are behaving
> > maliciously, returning false answers to DNS queries.
>
> That's perfectly possible but since nobody interrogates them, it is
> hardly a problem.


Or, what is a "false answer"?  If it is a different answer to that returned
by a standard DNS query on the ICANN route, we could have alternate root
servers (returning, for them, correct responses), the wildcarding of domains
that recently generated heat on the list, or corporate DNS boxes returning
internal (probably but not always RFC 1918 addresses).  And fraud - I wonder
what the true %age is - it is generally dangerous to assume malice when
incompetence is a perfectly satisfactory answer.

> Attackers would then change just one file in the Windows registry
> > settings, telling the PC to go to the criminal's server for all DNS
> > information.
>
> So, the attack has *nothing* to do with DNS. If the attacker can
> change MS-Windows (or any other OS) settings, he can do anything.


Some bits of  Windows are much easier to alter than they should be ...

I have dealt with a reasonable number of "pharming attacks" - commonly by
writing into the (not actually the name but ...)  etc/hosts file but
sometimes by altering the network properties.  Often, the DNS is hosted on
the same hacked boxes as the fraudulent sites themselves.

[The mention of a "file in the Windows registry" gives a good idea of
> the seriousness of the paper.]
>

But was that Dagon, the journalist interpreting him, or just the journalist
speaking?

Matthew
<<< Chronological Index >>>    <<< Thread Index >>>