Deconstructing the Great Firewall of China

2020-06-05 Thread Paul Kosinski via bind-users 
A very interesting article on how China uses DNS (among other things)
to "control" Internet usage.

https://blog.thousandeyes.com/deconstructing-great-firewall-china/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fwd: DNS Misconfiguration on- http://cyberia.net.sa/

2020-06-05 Thread Lee 
On 6/5/20, Fred Morris  wrote:
> Hrmmm... I'm reminded of something else I've seen reported on recently...
>
> On Fri, 5 Jun 2020, Ejaz Ahmed wrote:
>> localhost.cyberia.net.sa
>
> I don't know if you've been paying attention, but it's been reported that
> among others EBay has been port scanning visitor's devices [0]. Having
> localhost.ebay.com could be handy for them in terms of circumventing some
> rules on setting of cookies and the execution of scripts. Not saying
> that's what they're doing, heaven forbid.
>
> Any domain you visit could have entries in it which point to e.g.
> localhost or nonrouting addresses commonly used for gateways, things like
> that.
>
> This is not a DNS problem, it's a problem in what commonly used programs
> aid and abet in the name of "freedom of commerce" or something.

It's possible to block with rpz & something else that I can't recall
right now.  I did RPZ blocking first, so I didn't bother changing

;  return NXDOMAIN for any 127.0.0.0/8 answers
;exceptions:
onea.net-snmp.org   CNAME   rpz-passthru.
twoa.net-snmp.org   CNAME   rpz-passthru.
localhost   CNAME   rpz-passthru.
8.0.0.0.127.rpz-ip  CNAME   .   ;  127.0.0.0/8
;   check:
; localhost   127.0.0.1
; onea.net-snmp.org   127.0.0.1
; twoa.net-snmp.org   127.0.0.2 127.0.0.3

All my other host names that used to return 127.0.0.1 answers don't
any more :(  Anyone know some valid names I can use for testing?

Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Misconfiguration on- http://cyberia.net.sa/

2020-06-05 Thread Michael De Roover 
Wholeheartedly agreed. Not to mention that it's extremely rude to demand 
fame/money like that. These are not security researchers, they're skids.


(Please disregard the previous email, pressed the wrong reply button and 
realized it too late..)


On 6/5/20 11:53 AM, Ondřej Surý wrote:

The localhost. is not scam, but the

„I found this on HackerOne and I now want money“ is scam.

Remove the localhost entry from the zone, but you should not pay money
for issues that can be produced by automated scanners.

HackerOne is doing everyone disfavor by paying nonsensical amounts of
money[*] for small issues like this. They (and other wealthy companies)
should be paying money only for original security research and not this
nonsense.

* $100 is a helluva money in some economies...

Ondrej
--
Ondřej Surý
ond...@isc.org

--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fwd: DNS Misconfiguration on- http://cyberia.net.sa/

2020-06-05 Thread Fred Morris 

Hrmmm... I'm reminded of something else I've seen reported on recently...

On Fri, 5 Jun 2020, Ejaz Ahmed wrote:

localhost.cyberia.net.sa


I don't know if you've been paying attention, but it's been reported that 
among others EBay has been port scanning visitor's devices [0]. Having 
localhost.ebay.com could be handy for them in terms of circumventing some 
rules on setting of cookies and the execution of scripts. Not saying 
that's what they're doing, heaven forbid.


Any domain you visit could have entries in it which point to e.g. 
localhost or nonrouting addresses commonly used for gateways, things like 
that.


This is not a DNS problem, it's a problem in what commonly used programs 
aid and abet in the name of "freedom of commerce" or something.


--

Fred Morris

--

[0] 
https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

VS: DNS Misconfiguration on- http://cyberia.net.sa/

2020-06-05 Thread Jukka Pakkanen 
Complete scam, ignore.

Just check the “securityfocus” link, it’s fake too.

Jukka

Lähettäjä: bind-users  Puolesta Ejaz Ahmed
Lähetetty: 5. kesäkuuta 2020 10:55
Vastaanottaja: bind-users@lists.isc.org
Aihe: Fwd: DNS Misconfiguration on- http://cyberia.net.sa/



Some one is is claiming that our name server 212.118.64.2 is vulnerable with 
below information is this true

Any suggestions would be appreciated

Thanks a n advance

Ejaz



Dear CYBERIA GROUP Security Team ,

I Rahul a Ethical Hacker and Security Researcher. I found a vulnerability on 
your website that is DNS Misconfiguration .

Your localhost.cyberia.net.sa   has address 
127.0.0.1 and this may lead to "Same- Site" Scripting. I can also ping the 
localhost network.


Here is detailed description of this minor security issue : 
http://www.securityfocus.com/archive/1/486606/30/0/threaded

Find attached POC  Video.

Dear Team Waiting for your response and I want bounty(money) with an 
Appreciation letter for my work and effort which I have given for


Thanks in advance
Ejaz







___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

VS: DNS Misconfiguration on- http://cyberia.net.sa/

2020-06-05 Thread Jukka Pakkanen 
Thx for the info, had missed this one and actually we have that minor 
misconfiguration too. Have had since 1995 when started our nameservers and 
never noticed...

Jukka

-Alkuperäinen viesti-
Lähettäjä: Ondřej Surý  
Lähetetty: 5. kesäkuuta 2020 11:53
Vastaanottaja: Jukka Pakkanen 
Kopio: Ejaz Ahmed ; bind-users@lists.isc.org
Aihe: Re: DNS Misconfiguration on- http://cyberia.net.sa/

The localhost. is not scam, but the

„I found this on HackerOne and I now want money“ is scam.

Remove the localhost entry from the zone, but you should not pay money for 
issues that can be produced by automated scanners.

HackerOne is doing everyone disfavor by paying nonsensical amounts of money[*] 
for small issues like this. They (and other wealthy companies) should be paying 
money only for original security research and not this nonsense.

* $100 is a helluva money in some economies...

Ondrej
--
Ondřej Surý
ond...@isc.org

> On 5 Jun 2020, at 11:24, Jukka Pakkanen  wrote:
> 
> Complete scam, ignore.
> 
> Just check the “securityfocus” link, it’s fake too.
> 
> Jukka
> 
> Lähettäjä: bind-users  Puolesta Ejaz 
> Ahmed
> Lähetetty: 5. kesäkuuta 2020 10:55
> Vastaanottaja: bind-users@lists.isc.org
> Aihe: Fwd: DNS Misconfiguration on- http://cyberia.net.sa/
> 
> 
> 
> 
> Some one is is claiming that our name server 212.118.64.2 is 
> vulnerable with below information is this true
> 
> Any suggestions would be appreciated
> 
> Thanks a n advance
> 
> Ejaz
> 
> 
> 
> 
> Dear CYBERIA GROUP Security Team ,
> 
> I Rahul a Ethical Hacker and Security Researcher. I found a vulnerability on 
> your website that is DNS Misconfiguration .
> 
> Your localhost.cyberia.net.sa   has address 127.0.0.1 and this may lead to 
> "Same- Site" Scripting. I can also ping the localhost network.
> 
> 
> Here is detailed description of this minor security issue : 
> http://www.securityfocus.com/archive/1/486606/30/0/threaded
> 
> Find attached POC  Video.
> 
> Dear Team Waiting for your response and I want bounty(money) with an 
> Appreciation letter for my work and effort which I have given for
> 
> 
> Thanks in advance
> Ejaz
> 
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fwd: DNS Misconfiguration on- http://cyberia.net.sa/

2020-06-05 Thread Matus UHLAR - fantomas 

On 05.06.20 11:54, Ejaz Ahmed wrote:

Some one is is claiming that our name server 212.118.64.2 is vulnerable
with below information is this true


it's not the nameserver. It's the domain "cyberia.net.sa" that has
"localhost" in it pointing go 127.0.0.1

This is useless. The localhost hostname should not exist in domains other
than "localhost." that should be configured on recursive servers.


Any suggestions would be appreciated


simply remove the "localhost" record from cyberia.net.sa and possibly other
domains.


Dear CYBERIA GROUP Security Team ,

I Rahul a Ethical Hacker and Security Researcher. I found a vulnerability
on your website that is DNS Misconfiguration .

Your *localhost.cyberia.net.sa    *has
address 127.0.0.1 and this may lead to "Same- Site" Scripting. I can also
ping the localhost network.


Here is detailed description of this minor security issue :*
http://www.securityfocus.com/archive/1/486606/30/0/threaded
*

*Find attached POC  Video. *

*Dear Team Waiting for your response and I want bounty(money) with an
Appreciation letter for my work and effort which I have given for *


*Thanks in advance *
*Ejaz *


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Misconfiguration on- http://cyberia.net.sa/

2020-06-05 Thread Ondřej Surý 
The localhost. is not scam, but the

„I found this on HackerOne and I now want money“ is scam.

Remove the localhost entry from the zone, but you should not pay money
for issues that can be produced by automated scanners.

HackerOne is doing everyone disfavor by paying nonsensical amounts of
money[*] for small issues like this. They (and other wealthy companies)
should be paying money only for original security research and not this
nonsense.

* $100 is a helluva money in some economies...

Ondrej
--
Ondřej Surý
ond...@isc.org

> On 5 Jun 2020, at 11:24, Jukka Pakkanen  wrote:
> 
> Complete scam, ignore.
> 
> Just check the “securityfocus” link, it’s fake too.
> 
> Jukka
> 
> Lähettäjä: bind-users  Puolesta Ejaz Ahmed
> Lähetetty: 5. kesäkuuta 2020 10:55
> Vastaanottaja: bind-users@lists.isc.org
> Aihe: Fwd: DNS Misconfiguration on- http://cyberia.net.sa/
> 
> 
> 
> 
> Some one is is claiming that our name server 212.118.64.2 is vulnerable with 
> below information is this true
> 
> Any suggestions would be appreciated
> 
> Thanks a n advance
> 
> Ejaz
> 
> 
> 
> 
> Dear CYBERIA GROUP Security Team ,
> 
> I Rahul a Ethical Hacker and Security Researcher. I found a vulnerability on 
> your website that is DNS Misconfiguration .
> 
> Your localhost.cyberia.net.sa   has address 127.0.0.1 and this may lead to 
> "Same- Site" Scripting. I can also ping the localhost network.
> 
> 
> Here is detailed description of this minor security issue : 
> http://www.securityfocus.com/archive/1/486606/30/0/threaded
> 
> Find attached POC  Video.
> 
> Dear Team Waiting for your response and I want bounty(money) with an 
> Appreciation letter for my work and effort which I have given for
> 
> 
> Thanks in advance
> Ejaz
> 
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Fwd: DNS Misconfiguration on- http://cyberia.net.sa/

2020-06-05 Thread Ejaz Ahmed 
Some one is is claiming that our name server 212.118.64.2 is vulnerable
with below information is this true

Any suggestions would be appreciated

Thanks a n advance

Ejaz




Dear CYBERIA GROUP Security Team ,

I Rahul a Ethical Hacker and Security Researcher. I found a vulnerability
on your website that is DNS Misconfiguration .

Your *localhost.cyberia.net.sa    *has
address 127.0.0.1 and this may lead to "Same- Site" Scripting. I can also
ping the localhost network.


Here is detailed description of this minor security issue :*
http://www.securityfocus.com/archive/1/486606/30/0/threaded
*

*Find attached POC  Video. *

*Dear Team Waiting for your response and I want bounty(money) with an
Appreciation letter for my work and effort which I have given for *


*Thanks in advance *
*Ejaz *
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: VS: DNS Misconfiguration on- http://cyberia.net.sa/

2020-06-05 Thread Tony Finch 
Jukka Pakkanen  wrote:

> Thx for the info, had missed this one and actually we have that minor
> misconfiguration too. Have had since 1995 when started our nameservers
> and never noticed...

Yes, it used to be recommended -
https://tools.ietf.org/html/rfc1537#section-10

But not any more, because -
https://seclists.org/bugtraq/2008/Jan/270

I also only found out about this recently(ish) -
https://www.dns.cam.ac.uk/news/2017-09-01-localhost.html

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Tyne, Dogger: Northwest 5 or 6, backing southwest 6 to gale 8, then becoming
cyclonic 5 to 7 later. Slight or moderate, becoming rough for a time. Rain or
thundery showers. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

VS: VS: DNS Misconfiguration on- http://cyberia.net.sa/

2020-06-05 Thread Jukka Pakkanen 
Yes but I think the rfc1537 refers, and the recommendation always was 
"localhost." hostname, which refers to name "localhost", not 
"localhost.domain". Then I guess, this was already wrong in the O'Reilly "DNS 
and BIND" book (have to check that), which I remember using as a guideline to 
set up our first domains/zones.  And from that, the setting was copied later on 
to all new domains too.

Jukka

-Alkuperäinen viesti-
Lähettäjä: Tony Finch  
Lähetetty: 5. kesäkuuta 2020 16:09
Vastaanottaja: Jukka Pakkanen 
Kopio: Ondřej Surý ; bind-users@lists.isc.org
Aihe: Re: VS: DNS Misconfiguration on- http://cyberia.net.sa/

Jukka Pakkanen  wrote:

> Thx for the info, had missed this one and actually we have that minor 
> misconfiguration too. Have had since 1995 when started our nameservers 
> and never noticed...

Yes, it used to be recommended -
https://tools.ietf.org/html/rfc1537#section-10

But not any more, because -
https://seclists.org/bugtraq/2008/Jan/270

I also only found out about this recently(ish) - 
https://www.dns.cam.ac.uk/news/2017-09-01-localhost.html

Tony.
--
f.anthony.n.finchhttp://dotat.at/ Tyne, Dogger: Northwest 5 
or 6, backing southwest 6 to gale 8, then becoming cyclonic 5 to 7 later. 
Slight or moderate, becoming rough for a time. Rain or thundery showers. Good, 
occasionally poor.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users