On Thu, Dec 18, 2014 at 12:04:45PM -0500, David C Lawrence <[email protected]> wrote a message of 11 lines which said:
> http://gulfnews.com/business/technology/domain-name-structure-of-etisalat-poisoned-1.1428889 > > This news report claims it was a cache poisoning, but it also reads > like it could have been hacked authoritative data. Indeed, this report is ridiculous and the claims of "Nicolai Solling, director of technology services" clearly self-contradictory. > Does anyone have more information? >From the information at DNSDB, it seems that the NS records were not changed but the A was. The change was short-lived and seen only by a few sensors so we cannot be sure if it was a DNS poisoning or an illegal access to the DNS hoster (I say DNS hoster because the NS have not been changed, as they would have been during an attack at the registry or registrar) Web interface. For the NS, the only change was the withdrawal of ans1.kanartel.sd and ans2.kanartel.sd from the set (they were in the zone but never at the parent) around 2014-12-18 04:30:00, after the attack. For the A: bailiwick etisalat.ae. count 2 first seen 2014-12-18 02:34:16 -0000 last seen 2014-12-18 02:34:16 -0000 etisalat.ae. A 205.164.14.77 Yes, this IP address is in China. CIRCL.lu and PassiveDNS.cn did not see the change in the A record (which is consistent with a short-lived change, or with a DNS poisoning not reaching their sensors). No service saw a change for e4me.ae. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
