subject:"\[nlug\] Re\: DNS Hijacking\(\?\)"

[nlug] Re: DNS Hijacking(?)

2008-10-01 Thread Richard Thomas


I haven't looked at the packet level but I'm assuming they would have to 
be spoofing the remote server's IP for things to work correctly.

Note that they are intercepting both traffic to the TLD servers (to 
catch invalid domains) and traffic to domain name server (to catch 
invalid subdomains).

Rich

Andrew Farnsworth wrote:
> On Wed, Oct 1, 2008 at 10:46 AM, Richard Thomas <[EMAIL PROTECTED] 
> > wrote:
>
>
> ware wrote:
> > cat nameserver 4.2.2.2  >> /etc/resolv.conf
> >
> No. That doesn't help. This is a network based intercept. Any DNS
> traffic heading off Bill's network gets intercepted. That's why I
> had to
> configure stuff to work on port 52 (though any other port would likely
> have worked just as well)
>
> Rich
>
>
> Out of curiosity, do the returning packets have any indication on the 
> actual server being contacted (i.e. is supplying the bogus DNS info)?
>
> Andy
>
>
> >


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-10-01 Thread Andrew Farnsworth

On Wed, Oct 1, 2008 at 10:46 AM, Richard Thomas <[EMAIL PROTECTED]>wrote:

>
> ware wrote:
> > cat nameserver 4.2.2.2 >> /etc/resolv.conf
> >
> No. That doesn't help. This is a network based intercept. Any DNS
> traffic heading off Bill's network gets intercepted. That's why I had to
> configure stuff to work on port 52 (though any other port would likely
> have worked just as well)
>
> Rich
>

Out of curiosity, do the returning packets have any indication on the actual
server being contacted (i.e. is supplying the bogus DNS info)?

Andy

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-10-01 Thread Richard Thomas


ware wrote:
> cat nameserver 4.2.2.2 >> /etc/resolv.conf
>   
No. That doesn't help. This is a network based intercept. Any DNS 
traffic heading off Bill's network gets intercepted. That's why I had to 
configure stuff to work on port 52 (though any other port would likely 
have worked just as well)

Rich

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-10-01 Thread ware


echo*

rofl whoops

On Wed, Oct 1, 2008 at 9:34 AM, ware <[EMAIL PROTECTED]> wrote:
> cat nameserver 4.2.2.2 >> /etc/resolv.conf
>
> On Wed, Oct 1, 2008 at 9:23 AM, Richard Thomas <[EMAIL PROTECTED]> wrote:
>>
>> Bill Butler finally wrote back. He's been looking into it apparently
>> (that's all I needed to hear). I'll stick with him for now and use the
>> alternative DNS. I'm not sure how long that will be available for.
>>
>> Rich
>>
>> ware wrote:
>>> --snip--
>>> [14:27 9/29/08]FOUO: ALL STATIONS EFFECTIVE IMMEDIATELY, WMP - RFI
>>> out on K4RNT (SMITH, ALEX)
>>> --/snip--
>>>
>>> oh hai thar!  b seen u on teh statez msg switch wen u wuz lookd 4.
>>> jus thogut u miht wan2no kthnx!  bet u culd pay em wut u owe nden j00
>>> git sum frenz dahr, k?  thnx 4ur hep wif dis stuf.
>>>
>>> (sidez, mah troll is2b use nun 4 NLUG cuz we <3 dem herez nahmsayn?)
>>>
>>> 
>>>
>>> we've run across too many of our clients ISP in bumfukt east TN that
>>> had vulnerable DNS servers and have switched them to OpenDNS for the
>>> interim.  it does sound like it's Butler's issue so id stick with your
>>> alternative or checkout clearwire
>>>
>>> -ware
>>>
>>> On Tue, Sep 30, 2008 at 4:12 PM, Richard Thomas <[EMAIL PROTECTED]> wrote:
>>>
 Yu haz tu avoyed thayr philterz yu noe.

 Alex Smith (K4RNT) wrote:

 I don't know what you are saying ! If you're going to troll, at least
 be coherent about it ! ;)

 On Tue, Sep 30, 2008 at 3:12 PM, ware <[EMAIL PROTECTED]> wrote:


 teh guverment iz wathcin ur queerys datumz





>>>
>>> >
>>>
>>
>>
>> >>
>>
>

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-10-01 Thread ware


cat nameserver 4.2.2.2 >> /etc/resolv.conf

On Wed, Oct 1, 2008 at 9:23 AM, Richard Thomas <[EMAIL PROTECTED]> wrote:
>
> Bill Butler finally wrote back. He's been looking into it apparently
> (that's all I needed to hear). I'll stick with him for now and use the
> alternative DNS. I'm not sure how long that will be available for.
>
> Rich
>
> ware wrote:
>> --snip--
>> [14:27 9/29/08]FOUO: ALL STATIONS EFFECTIVE IMMEDIATELY, WMP - RFI
>> out on K4RNT (SMITH, ALEX)
>> --/snip--
>>
>> oh hai thar!  b seen u on teh statez msg switch wen u wuz lookd 4.
>> jus thogut u miht wan2no kthnx!  bet u culd pay em wut u owe nden j00
>> git sum frenz dahr, k?  thnx 4ur hep wif dis stuf.
>>
>> (sidez, mah troll is2b use nun 4 NLUG cuz we <3 dem herez nahmsayn?)
>>
>> 
>>
>> we've run across too many of our clients ISP in bumfukt east TN that
>> had vulnerable DNS servers and have switched them to OpenDNS for the
>> interim.  it does sound like it's Butler's issue so id stick with your
>> alternative or checkout clearwire
>>
>> -ware
>>
>> On Tue, Sep 30, 2008 at 4:12 PM, Richard Thomas <[EMAIL PROTECTED]> wrote:
>>
>>> Yu haz tu avoyed thayr philterz yu noe.
>>>
>>> Alex Smith (K4RNT) wrote:
>>>
>>> I don't know what you are saying ! If you're going to troll, at least
>>> be coherent about it ! ;)
>>>
>>> On Tue, Sep 30, 2008 at 3:12 PM, ware <[EMAIL PROTECTED]> wrote:
>>>
>>>
>>> teh guverment iz wathcin ur queerys datumz
>>>
>>>
>>>
>>>
>>>
>>
>> >
>>
>
>
> >
>

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-10-01 Thread Richard Thomas


Bill Butler finally wrote back. He's been looking into it apparently 
(that's all I needed to hear). I'll stick with him for now and use the 
alternative DNS. I'm not sure how long that will be available for.

Rich

ware wrote:
> --snip--
> [14:27 9/29/08]FOUO: ALL STATIONS EFFECTIVE IMMEDIATELY, WMP - RFI
> out on K4RNT (SMITH, ALEX)
> --/snip--
>
> oh hai thar!  b seen u on teh statez msg switch wen u wuz lookd 4.
> jus thogut u miht wan2no kthnx!  bet u culd pay em wut u owe nden j00
> git sum frenz dahr, k?  thnx 4ur hep wif dis stuf.
>
> (sidez, mah troll is2b use nun 4 NLUG cuz we <3 dem herez nahmsayn?)
>
> 
>
> we've run across too many of our clients ISP in bumfukt east TN that
> had vulnerable DNS servers and have switched them to OpenDNS for the
> interim.  it does sound like it's Butler's issue so id stick with your
> alternative or checkout clearwire
>
> -ware
>
> On Tue, Sep 30, 2008 at 4:12 PM, Richard Thomas <[EMAIL PROTECTED]> wrote:
>   
>> Yu haz tu avoyed thayr philterz yu noe.
>>
>> Alex Smith (K4RNT) wrote:
>>
>> I don't know what you are saying ! If you're going to troll, at least
>> be coherent about it ! ;)
>>
>> On Tue, Sep 30, 2008 at 3:12 PM, ware <[EMAIL PROTECTED]> wrote:
>>
>>
>> teh guverment iz wathcin ur queerys datumz
>>
>>
>>
>>
>> 
>
> >
>   


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-30 Thread ware

--snip--
[14:27 9/29/08]FOUO: ALL STATIONS EFFECTIVE IMMEDIATELY, WMP - RFI
out on K4RNT (SMITH, ALEX)
--/snip--

oh hai thar!  b seen u on teh statez msg switch wen u wuz lookd 4.
jus thogut u miht wan2no kthnx!  bet u culd pay em wut u owe nden j00
git sum frenz dahr, k?  thnx 4ur hep wif dis stuf.

(sidez, mah troll is2b use nun 4 NLUG cuz we <3 dem herez nahmsayn?)

we've run across too many of our clients ISP in bumfukt east TN that
had vulnerable DNS servers and have switched them to OpenDNS for the
interim.  it does sound like it's Butler's issue so id stick with your
alternative or checkout clearwire

-ware

On Tue, Sep 30, 2008 at 4:12 PM, Richard Thomas <[EMAIL PROTECTED]> wrote:
> Yu haz tu avoyed thayr philterz yu noe.
>
> Alex Smith (K4RNT) wrote:
>
> I don't know what you are saying ! If you're going to troll, at least
> be coherent about it ! ;)
>
> On Tue, Sep 30, 2008 at 3:12 PM, ware <[EMAIL PROTECTED]> wrote:
>
>
> teh guverment iz wathcin ur queerys datumz
>
>
>
>
> >
>

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-30 Thread Alex Smith (K4RNT)


I don't know what you are saying ! If you're going to troll, at least
be coherent about it ! ;)

On Tue, Sep 30, 2008 at 3:12 PM, ware <[EMAIL PROTECTED]> wrote:
>
> teh guverment iz wathcin ur queerys datumz

-- 
" ' With the first link, the chain is forged. The first speech
censured, the first thought forbidden, the first freedom denied,
chains us all irrevocably.' Those words were uttered by Judge Aaron
Satie as wisdom and warning... The first time any man's freedom is
trodden on we're all damaged." - Picard, quoting Judge Aaron Satie
- Alex Smith (K4RNT)
- Murfreesboro/Nashville, TN

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-30 Thread Richard Thomas

Yu haz tu avoyed thayr philterz yu noe.

Alex Smith (K4RNT) wrote:
> I don't know what you are saying ! If you're going to troll, at least
> be coherent about it ! ;)
>
> On Tue, Sep 30, 2008 at 3:12 PM, ware <[EMAIL PROTECTED]> wrote:
>   
>> teh guverment iz wathcin ur queerys datumz
>> 
>
>   


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-30 Thread ware


teh guverment iz wathcin ur queerys datumz

On Tue, Sep 30, 2008 at 2:10 PM, Richard Thomas <[EMAIL PROTECTED]> wrote:
>
> Well, I managed to sort out a "friendly" DNS server and have configured
> my DNS server to forward requests on port 52. So far, looks good as a
> temporary measure until I decide what to do next. I am a little
> incandescent at this at the moment.
>
> Rich
>
> Andrew Farnsworth wrote:
>> On Tue, Sep 30, 2008 at 2:38 PM, Richard Thomas <[EMAIL PROTECTED]
>> > wrote:
>>
>>
>> Andrew Farnsworth wrote:
>> > Tunnel out using ssh and do a local redirect on port 53.  Then point
>> > your DNS clients at the machine running ssh... shazam! you are past
>> > the filter.
>> >
>> > Andy
>> Too much hassle and a vulnerable point-of-failure. I'm not sure about
>> tunnelling UDP anyway (I know DNS can do both but isn't UDP the
>> default?)
>>
>>
>> Sorry, I meant as a test, not a permanent fix.  I should have been
>> more clear.  Though if you ended up doing something like this, a VPN
>> would be a better idea.  Though switching ISPs would not be out of the
>> question if they are no proactive in preventing this type of thing
>> from happening.
>>
>> Andy
>>
>>
>> >
>
>
> >
>

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-30 Thread Richard Thomas


Well, I managed to sort out a "friendly" DNS server and have configured 
my DNS server to forward requests on port 52. So far, looks good as a 
temporary measure until I decide what to do next. I am a little 
incandescent at this at the moment.

Rich

Andrew Farnsworth wrote:
> On Tue, Sep 30, 2008 at 2:38 PM, Richard Thomas <[EMAIL PROTECTED] 
> > wrote:
>
>
> Andrew Farnsworth wrote:
> > Tunnel out using ssh and do a local redirect on port 53.  Then point
> > your DNS clients at the machine running ssh... shazam! you are past
> > the filter.
> >
> > Andy
> Too much hassle and a vulnerable point-of-failure. I'm not sure about
> tunnelling UDP anyway (I know DNS can do both but isn't UDP the
> default?)
>
>
> Sorry, I meant as a test, not a permanent fix.  I should have been 
> more clear.  Though if you ended up doing something like this, a VPN 
> would be a better idea.  Though switching ISPs would not be out of the 
> question if they are no proactive in preventing this type of thing 
> from happening.
>
> Andy
>
>
> >


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-30 Thread Andrew Farnsworth

On Tue, Sep 30, 2008 at 2:38 PM, Richard Thomas <[EMAIL PROTECTED]>wrote:

>
> Andrew Farnsworth wrote:
> > Tunnel out using ssh and do a local redirect on port 53.  Then point
> > your DNS clients at the machine running ssh... shazam! you are past
> > the filter.
> >
> > Andy
> Too much hassle and a vulnerable point-of-failure. I'm not sure about
> tunnelling UDP anyway (I know DNS can do both but isn't UDP the default?)

Sorry, I meant as a test, not a permanent fix.  I should have been more
clear.  Though if you ended up doing something like this, a VPN would be a
better idea.  Though switching ISPs would not be out of the question if they
are no proactive in preventing this type of thing from happening.

Andy

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-30 Thread Richard Thomas


Andrew Farnsworth wrote:
> Tunnel out using ssh and do a local redirect on port 53.  Then point 
> your DNS clients at the machine running ssh... shazam! you are past 
> the filter.
>
> Andy
Too much hassle and a vulnerable point-of-failure. I'm not sure about 
tunnelling UDP anyway (I know DNS can do both but isn't UDP the default?)

Rich

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-30 Thread Richard Thomas

Jeff Dimond wrote:
> I bet it's your ISP.
>  
> Here is a link that may be of interest. Looks like the same thing 
> happened to Windstream customers earlier this year.
> http://www.dslreports.com/forum/r19764165-Windstream-DNS-server-entrynotfoundcom
>  
> You could always run your own DNS with BIND.
>  
> -Jeff
>

I was running my own DNS (caching only). It was when my Firefox 
location-bar searches started turning up in sitefinder(Yahoo) instead of 
Google that I got suspicious.

I just confirmed that it's not some compromise on my system by setting 
up a zone in Bind. Invalid queries to that zone produce no results 
exactly as they should. This is definitely off-local-net stuff.

I emailed my ISP (Butler) last week. No response. I'm wondering if it 
might be time to see how Clearwire performs.

Rich

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-30 Thread Andrew Farnsworth

Tunnel out using ssh and do a local redirect on port 53.  Then point your
DNS clients at the machine running ssh... shazam! you are past the filter.

Andy

On Tue, Sep 30, 2008 at 2:29 PM, Jeff Dimond <[EMAIL PROTECTED]> wrote:

> I bet it's your ISP.
>
> Here is a link that may be of interest. Looks like the same thing happened
> to Windstream customers earlier this year.
>
> http://www.dslreports.com/forum/r19764165-Windstream-DNS-server-entrynotfoundcom
>
> You could always run your own DNS with BIND.
>
> -Jeff
>
>
>
> On Tue, Sep 30, 2008 at 1:23 PM, Brandon Valentine <
> [EMAIL PROTECTED]> wrote:
>
>>
>> Somewhere upstream a transparent DNS proxy is grabbing all traffic on
>> port 53 regardless of destination.  If it's upstream of you there's
>> not much you can do about it besides report it to your ISP.
>>
>> On Tue, Sep 30, 2008 at 1:21 PM, Richard Thomas <[EMAIL PROTECTED]>
>> wrote:
>> >
>> > Richard Thomas wrote:
>> >> I'm switching to using an off-net DNS server for now.
>> >>
>> > No use...
>> >
>> > # dig plob.psysolutions.com @4.2.2.1
>> >
>> > ; <<>> DiG 9.4.1 <<>> plob.psysolutions.com @4.2.2.1
>> > ; (1 server found)
>> > ;; global options:  printcmd
>> > ;; Got answer:
>> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21198
>> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
>> >
>> > ;; QUESTION SECTION:
>> > ;plob.psysolutions.com. IN  A
>> >
>> > ;; ANSWER SECTION:
>> > plob.psysolutions.com.  60  IN  A   8.15.7.102
>> > plob.psysolutions.com.  60  IN  A   63.251.179.28
>> >
>> > ;; AUTHORITY SECTION:
>> > plob.psysolutions.com.  65535   IN  NS  
>> > WSC2.JOMAX.NET
>> .
>> > plob.psysolutions.com.  65535   IN  NS  
>> > WSC1.JOMAX.NET
>> .
>> >
>> > ;; Query time: 52 msec
>> > ;; SERVER: 4.2.2.1#53(4.2.2.1) 
>> > ;; WHEN: Tue Sep 30 13:20:02 2008
>> > ;; MSG SIZE  rcvd: 127
>> >
>> >
>> > >
>> >
>>
>>
>>
>> --
>> Brandon D. Valentine
>> http://www.brandonvalentine.com
>>   >>
>>

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-30 Thread Jeff Dimond

I bet it's your ISP.

Here is a link that may be of interest. Looks like the same thing happened
to Windstream customers earlier this year.
http://www.dslreports.com/forum/r19764165-Windstream-DNS-server-entrynotfoundcom

You could always run your own DNS with BIND.

-Jeff



On Tue, Sep 30, 2008 at 1:23 PM, Brandon Valentine <
[EMAIL PROTECTED]> wrote:

>
> Somewhere upstream a transparent DNS proxy is grabbing all traffic on
> port 53 regardless of destination.  If it's upstream of you there's
> not much you can do about it besides report it to your ISP.
>
> On Tue, Sep 30, 2008 at 1:21 PM, Richard Thomas <[EMAIL PROTECTED]>
> wrote:
> >
> > Richard Thomas wrote:
> >> I'm switching to using an off-net DNS server for now.
> >>
> > No use...
> >
> > # dig plob.psysolutions.com @4.2.2.1
> >
> > ; <<>> DiG 9.4.1 <<>> plob.psysolutions.com @4.2.2.1
> > ; (1 server found)
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21198
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;plob.psysolutions.com. IN  A
> >
> > ;; ANSWER SECTION:
> > plob.psysolutions.com.  60  IN  A   8.15.7.102
> > plob.psysolutions.com.  60  IN  A   63.251.179.28
> >
> > ;; AUTHORITY SECTION:
> > plob.psysolutions.com.  65535   IN  NS  
> > WSC2.JOMAX.NET
> .
> > plob.psysolutions.com.  65535   IN  NS  
> > WSC1.JOMAX.NET
> .
> >
> > ;; Query time: 52 msec
> > ;; SERVER: 4.2.2.1#53(4.2.2.1) 
> > ;; WHEN: Tue Sep 30 13:20:02 2008
> > ;; MSG SIZE  rcvd: 127
> >
> >
> > >
> >
>
>
>
> --
> Brandon D. Valentine
> http://www.brandonvalentine.com
>
> >
>

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-30 Thread Brandon Valentine


Somewhere upstream a transparent DNS proxy is grabbing all traffic on
port 53 regardless of destination.  If it's upstream of you there's
not much you can do about it besides report it to your ISP.

On Tue, Sep 30, 2008 at 1:21 PM, Richard Thomas <[EMAIL PROTECTED]> wrote:
>
> Richard Thomas wrote:
>> I'm switching to using an off-net DNS server for now.
>>
> No use...
>
> # dig plob.psysolutions.com @4.2.2.1
>
> ; <<>> DiG 9.4.1 <<>> plob.psysolutions.com @4.2.2.1
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21198
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;plob.psysolutions.com. IN  A
>
> ;; ANSWER SECTION:
> plob.psysolutions.com.  60  IN  A   8.15.7.102
> plob.psysolutions.com.  60  IN  A   63.251.179.28
>
> ;; AUTHORITY SECTION:
> plob.psysolutions.com.  65535   IN  NS  WSC2.JOMAX.NET.
> plob.psysolutions.com.  65535   IN  NS  WSC1.JOMAX.NET.
>
> ;; Query time: 52 msec
> ;; SERVER: 4.2.2.1#53(4.2.2.1)
> ;; WHEN: Tue Sep 30 13:20:02 2008
> ;; MSG SIZE  rcvd: 127
>
>
> >
>



-- 
Brandon D. Valentine
http://www.brandonvalentine.com

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-30 Thread Richard Thomas


Richard Thomas wrote:
> I'm switching to using an off-net DNS server for now. 
>   
No use...

# dig plob.psysolutions.com @4.2.2.1

; <<>> DiG 9.4.1 <<>> plob.psysolutions.com @4.2.2.1
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21198
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;plob.psysolutions.com. IN  A

;; ANSWER SECTION:
plob.psysolutions.com.  60  IN  A   8.15.7.102
plob.psysolutions.com.  60  IN  A   63.251.179.28

;; AUTHORITY SECTION:
plob.psysolutions.com.  65535   IN  NS  WSC2.JOMAX.NET.
plob.psysolutions.com.  65535   IN  NS  WSC1.JOMAX.NET.

;; Query time: 52 msec
;; SERVER: 4.2.2.1#53(4.2.2.1)
;; WHEN: Tue Sep 30 13:20:02 2008
;; MSG SIZE  rcvd: 127


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-30 Thread Richard Thomas


It's worse than I thought. It also appears to be hijacking subdomains of 
valid domains. I'm switching to using an off-net DNS server for now. 
This is very disturbing.

Rich

$ dig bleepblop.google.com

; <<>> DiG 9.4.1 <<>> bleepblop.google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56987
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;bleepblop.google.com.  IN  A

;; ANSWER SECTION:
bleepblop.google.com.   60  IN  A   8.15.7.102
bleepblop.google.com.   60  IN  A   63.251.179.28

;; AUTHORITY SECTION:
bleepblop.google.com.   65535   IN  NS  WSC2.JOMAX.NET.
bleepblop.google.com.   65535   IN  NS  WSC1.JOMAX.NET.

;; ADDITIONAL SECTION:
WSC2.JOMAX.NET. 92600   IN  A   208.109.255.1
WSC1.JOMAX.NET. 92600   IN  A   216.69.185.1

;; Query time: 35 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 30 13:15:27 2008
;; MSG SIZE  rcvd: 149


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-25 Thread Ken Barber


On Sep 25, 2008, at 3:08 PM, Richard Thomas wrote:

> I've written to Bill but would be interested to hear if it's happening
> with business or other ISPs (it's not happening with my work stuff).

Not happening here (Comcast, west side of town):

bash-3.2$ dig @d.gtld-servers.net qweqpoqwiepoqiwepqiwe.com

; <<>> DiG 9.4.2-P1 <<>> @d.gtld-servers.net qweqpoqwiepoqiwepqiwe.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33930
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;qweqpoqwiepoqiwepqiwe.com. IN  A

;; AUTHORITY SECTION:
com.900 IN  SOA a.gtld-servers.net.  
nstld.verisign-grs.com. 1222392666 1800 900 604800 900

;; Query time: 56 msec
;; SERVER: 192.31.80.30#53(192.31.80.30)
;; WHEN: Thu Sep 25 20:31:25 2008
;; MSG SIZE  rcvd: 116


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-25 Thread Richard Thomas

This is the thing though. I do have my own DNS set up. The dig I used 
was what should have been a direct query to one of the top level domain 
servers. If this is real and not just something with my set up, I take a 
pretty dim view of whoever's doing this.

Tim O'Guin wrote:
> On Thu, Sep 25, 2008 at 3:08 PM, Richard Thomas <[EMAIL PROTECTED]> wrote:
>   
>> Is anyone else having issues out there with DNS requests which should
>> fail resolving to a search engine? This is with Butler net residential.
>> I've written to Bill but would be interested to hear if it's happening
>> with business or other ISPs (it's not happening with my work stuff).
>> I've narrowed it down and it's like the requests to the root and top
>> level domain servers are being hijacked...
>> 
>
> I have Charter's 16Mb cable at home, and it's been doing this since I
> got it.  All requests to invalid domains get redirected to a Charter
> search portal.
>
> Here is a the result of a dig.
>
> ;; ANSWER SECTION:
> footuasdflqweryuzxg.com. 60   IN  A   64.158.56.56
> footuasdflqweryuzxg.com. 60   IN  A   63.251.179.56
>
> ;; AUTHORITY SECTION:
> footuasdflqweryuzxg.com. 65535IN  NS  WSC2.JOMAX.NET.
> footuasdflqweryuzxg.com. 65535IN  NS  WSC1.JOMAX.NET.
>
> ;; Query time: 60 msec
> ;; SERVER: 24.159.64.23#53(24.159.64.23)
> ;; WHEN: Thu Sep 25 15:38:24 2008
> ;; MSG SIZE  rcvd: 129
>
> I'm used to this and usually just hit Esc to stop it from loading when
> I see it coming up via the status bar.  I've really been meaning to
> setup my own DNS though, and this is all the more reason to get off my
> lazy ass and actually do it.
>
> >
>   


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-25 Thread Tim O'Guin

On Thu, Sep 25, 2008 at 3:08 PM, Richard Thomas <[EMAIL PROTECTED]> wrote:
>
> Is anyone else having issues out there with DNS requests which should
> fail resolving to a search engine? This is with Butler net residential.
> I've written to Bill but would be interested to hear if it's happening
> with business or other ISPs (it's not happening with my work stuff).
> I've narrowed it down and it's like the requests to the root and top
> level domain servers are being hijacked...

I have Charter's 16Mb cable at home, and it's been doing this since I
got it.  All requests to invalid domains get redirected to a Charter
search portal.

Here is a the result of a dig.

;; ANSWER SECTION:
footuasdflqweryuzxg.com. 60 IN  A   64.158.56.56
footuasdflqweryuzxg.com. 60 IN  A   63.251.179.56

;; AUTHORITY SECTION:
footuasdflqweryuzxg.com. 65535  IN  NS  WSC2.JOMAX.NET.
footuasdflqweryuzxg.com. 65535  IN  NS  WSC1.JOMAX.NET.

;; Query time: 60 msec
;; SERVER: 24.159.64.23#53(24.159.64.23)
;; WHEN: Thu Sep 25 15:38:24 2008
;; MSG SIZE  rcvd: 129

I'm used to this and usually just hit Esc to stop it from loading when
I see it coming up via the status bar.  I've really been meaning to
setup my own DNS though, and this is all the more reason to get off my
lazy ass and actually do it.

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-25 Thread John R. Dennison

On Thu, Sep 25, 2008 at 03:08:12PM -0500, Richard Thomas wrote:
> 
> Is anyone else having issues out there with DNS requests which should 
> fail resolving to a search engine? This is with Butler net residential. 
> I've written to Bill but would be interested to hear if it's happening 
> with business or other ISPs (it's not happening with my work stuff). 
> I've narrowed it down and it's like the requests to the root and top 
> level domain servers are being hijacked...

Tried from my home network (charter) and various managed hosts
around the country (Level-3, Sprint, GBLX, etc); I am not seeing
this from anywhere.





John

-- 
"I'm sorry but our engineers do not have phones."
As stated by a Network Solutions Customer Service representative when asked to
be put through to an engineer.

"My other computer is your windows box."
 Ralf Hildebrandt
 trying to play sturgeon while it's under attack is apparently not fun.


pgpe52zTa2vUH.pgp
Description: PGP signature

[nlug] Re: DNS Hijacking(?)

2008-09-25 Thread Chris McQuistion


Do you know about the big DNS vulnerability that was recently unveiled?  
It required that ISP's update their DNS servers or be vulnerable to some 
very serious hijacking.

I use OpenDNS's servers.  They are kept up to date and offer some nice 
little features like DNS name correction (say you enter .eud, instead of 
.edu, it corrects this and forwards you to the .edu address.)

Chris


Richard Thomas wrote:
> Is anyone else having issues out there with DNS requests which should 
> fail resolving to a search engine? This is with Butler net residential. 
> I've written to Bill but would be interested to hear if it's happening 
> with business or other ISPs (it's not happening with my work stuff). 
> I've narrowed it down and it's like the requests to the root and top 
> level domain servers are being hijacked...
>
>  From my home network
>
> [EMAIL PROTECTED]:/etc# dig qweqpoqwiepoqiwepqiwe.com @d.gtld-servers.net
>
> ; <<>> DiG 9.4.1 <<>> qweqpoqwiepoqiwepqiwe.com @d.gtld-servers.net
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10473
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;qweqpoqwiepoqiwepqiwe.com. IN  A
>
> ;; ANSWER SECTION:
> qweqpoqwiepoqiwepqiwe.com. 60   IN  A   8.15.7.102
> qweqpoqwiepoqiwepqiwe.com. 60   IN  A   63.251.179.28
>
> ;; AUTHORITY SECTION:
> qweqpoqwiepoqiwepqiwe.com. 65535 IN NS  WSC2.JOMAX.NET.
> qweqpoqwiepoqiwepqiwe.com. 65535 IN NS  WSC1.JOMAX.NET.
>
> ;; Query time: 752 msec
> ;; SERVER: 192.31.80.30#53(192.31.80.30)
> ;; WHEN: Thu Sep 25 14:59:33 2008
> ;; MSG SIZE  rcvd: 131
>
>
>  From Outside:
>
> [EMAIL PROTECTED]:~$ dig qweqpoqwiepoqiwepqiwe.com @d.gtld-servers.net
>
> ; <<>> DiG 9.4.1 <<>> qweqpoqwiepoqiwepqiwe.com @d.gtld-servers.net
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40084
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;qweqpoqwiepoqiwepqiwe.com. IN  A
>
> ;; AUTHORITY SECTION:
> com.900 IN  SOA a.gtld-servers.net.
> nstld.verisign-grs.com. 1222372779 1800 900 604800 900
>
> ;; Query time: 56 msec
> ;; SERVER: 192.31.80.30#53(192.31.80.30)
> ;; WHEN: Thu Sep 25 14:59:57 2008
> ;; MSG SIZE  rcvd: 116
>
> The IP for resolves to the same on both systems (192.31.80.30)
>
> If this is a known hack, I'd like to hear too. Though everything looks 
> clean as far as I can tell.
>
> Rich
>
> >
>   

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

2008-09-25 Thread Jeff Dimond

Not happening on AT&T business. I'll check comcast when I get home.

-Jeff

On Thu, Sep 25, 2008 at 3:08 PM, Richard Thomas <[EMAIL PROTECTED]>wrote:

>
> Is anyone else having issues out there with DNS requests which should
> fail resolving to a search engine? This is with Butler net residential.
> I've written to Bill but would be interested to hear if it's happening
> with business or other ISPs (it's not happening with my work stuff).
> I've narrowed it down and it's like the requests to the root and top
> level domain servers are being hijacked...
>
>  From my home network
>
>[EMAIL PROTECTED]:/etc# dig qweqpoqwiepoqiwepqiwe.com @d.gtld-servers.net
>
>; <<>> DiG 9.4.1 <<>> qweqpoqwiepoqiwepqiwe.com @d.gtld-servers.net
>; (1 server found)
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10473
>;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
>;; WARNING: recursion requested but not available
>
>;; QUESTION SECTION:
>;qweqpoqwiepoqiwepqiwe.com. IN  A
>
>;; ANSWER SECTION:
>qweqpoqwiepoqiwepqiwe.com. 60   IN  A   8.15.7.102
>qweqpoqwiepoqiwepqiwe.com. 60   IN  A   63.251.179.28
>
>;; AUTHORITY SECTION:
>qweqpoqwiepoqiwepqiwe.com. 65535 IN NS  
> WSC2.JOMAX.NET
> .
>qweqpoqwiepoqiwepqiwe.com. 65535 IN NS  
> WSC1.JOMAX.NET
> .
>
>;; Query time: 752 msec
>;; SERVER: 
> 192.31.80.30#53(192.31.80.30)
>;; WHEN: Thu Sep 25 14:59:33 2008
>;; MSG SIZE  rcvd: 131
>
>
>  From Outside:
>
>[EMAIL PROTECTED]:~$ dig qweqpoqwiepoqiwepqiwe.com @d.gtld-servers.net
>
>; <<>> DiG 9.4.1 <<>> qweqpoqwiepoqiwepqiwe.com @d.gtld-servers.net
>; (1 server found)
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40084
>;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>;; WARNING: recursion requested but not available
>
>;; QUESTION SECTION:
>;qweqpoqwiepoqiwepqiwe.com. IN  A
>
>;; AUTHORITY SECTION:
>com.900 IN  SOA a.gtld-servers.net.
>nstld.verisign-grs.com. 1222372779 1800 900 604800 900
>
>;; Query time: 56 msec
>;; SERVER: 
> 192.31.80.30#53(192.31.80.30)
>;; WHEN: Thu Sep 25 14:59:57 2008
>;; MSG SIZE  rcvd: 116
>
> The IP for resolves to the same on both systems (192.31.80.30)
>
> If this is a known hack, I'd like to hear too. Though everything looks
> clean as far as I can tell.
>
> Rich
>
> >
>

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~--~~~~--~~--~--~---

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

[nlug] Re: DNS Hijacking(?)

25 matches

Site Navigation

Mail list logo

Footer information