Re: [ga] Re: Rogue (Fraudulent) DNS Servers?

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

Matthew and all,

  I believe Stephane is/was equivocating.  Zoombibing and/or ghosting
is largely, but not always or entirely a result of poor/incompatant or
intentionally misconfigured DNS.  Of course Stephane know this
to be true, but seemingly will never openly admit such.  Ergo part of
the larger problem, that being denial of course.

Regards,

Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 277k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div.
of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
Phone: 214-244-4827

Matthew Pemble wrote:

> Stephane (et al)
>  On 12/12/2007, Stephane Bortzmeyer <bortzmeyer@xxxxxx> wrote:
>
>       On Wed, Dec 12, 2007 at 09:12:21AM +0000,
>      Matthew Pemble <matthew@xxxxxxxxxx> wrote
>      a message of 140 lines which said:
>
>      > I assume we will actually have to wait for the survey
>
>      Yes, because the IDG paper is mostly crap. Other reports
>      from Dagon
>      were very good.
>
>      > Georgia Tech's and Google's researchers estimate that as
>      many as 0.4
>      > percent, or 68,000, open-recursive DNS servers are
>      behaving
>      > maliciously, returning false answers to DNS queries.
>
>      That's perfectly possible but since nobody interrogates
>      them, it is
>      hardly a problem.
>
>
> Or, what is a "false answer"?  If it is a different answer to that
> returned by a standard DNS query on the ICANN route, we could have
> alternate root servers (returning, for them, correct responses), the
> wildcarding of domains that recently generated heat on the list, or
> corporate DNS boxes returning internal (probably but not always RFC
> 1918 addresses).  And fraud - I wonder what the true %age is - it is
> generally dangerous to assume malice when incompetence is a perfectly
> satisfactory answer.
>
>      > Attackers would then change just one file in the Windows
>      registry
>      > settings, telling the PC to go to the criminal's server
>      for all DNS
>      > information.
>
>      So, the attack has *nothing* to do with DNS. If the attacker
>      can
>      change MS-Windows (or any other OS) settings, he can do
>      anything.
>
>
> Some bits of  Windows are much easier to alter than they should be ...
>
> I have dealt with a reasonable number of "pharming attacks" - commonly
> by writing into the (not actually the name but ...)  etc/hosts file
> but sometimes by altering the network properties.  Often, the DNS is
> hosted on the same hacked boxes as the fraudulent sites themselves.
>
>      [The mention of a "file in the Windows registry" gives a
>      good idea of
>      the seriousness of the paper.]
>
>
> But was that Dagon, the journalist interpreting him, or just the
> journalist speaking?
>
> Matthew