This is mostly informational and may have already hit this group. My google-foo failed me if so. I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a "w" and does not exist in the authoritative zone these hosts will return two Akamai hosts. [root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2 23.202.231.167 23.217.138.108 [root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2 23.202.231.167 23.217.138.108 [root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2 23.202.231.167 23.217.138.108 [root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2 23.202.231.167 23.217.138.108 My apologies if this is old news. Lawrence Q. Marshall --------------------------------------------------------------------------------------- This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com ---------------------------------------------------------------------------------------
Are you a CL/L3 customer? Those resolvers have only ever been for “customers” even though they would resolve for anyone. They started injecting NXDOMAIN redirects a while ago for non-customers. From: NANOG <nanog-bounces@nanog.org> On Behalf Of Marshall, Quincy Sent: Monday, November 18, 2019 12:45 PM Subject: Level(3) DNS Spoofing All Domains This message originated outside of NETSCOUT. Do not click links or open attachments unless you recognize the sender and know the content is safe. This is mostly informational and may have already hit this group. My google-foo failed me if so. I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts. [root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2 23.202.231.167 23.217.138.108 [root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2 23.202.231.167 23.217.138.108 [root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2 23.202.231.167 23.217.138.108 [root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2 23.202.231.167 23.217.138.108 My apologies if this is old news. Lawrence Q. Marshall ________________________________ This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mimecast.com&d=DwMFaQ&c=Hlvprqonr5LuCN9TN65xNw&r=VfFQaWKwN0L3efDXtkWoSUKlJtu8LJ9Ke5bevkfX6C0&m=q6vn3t-QWxYOtFEQ5UhCttLDcerYncizhmA0BXauzSg&s=0udD7os_Gb1eyxuW47ezLZB2f-gk_Ipxso3m4n80kqg&e=> ________________________________
On Tuesday, November 19, 2019 10:42 AM Ryan, Spencer… “Are you a CL/L3 customer?” I am a legacy L(3) customer. The availability of their AnyCast NS is public from my nets. I was on a my home TWC circuit when I ran the provided lookups. I have used the L(3) NS, in a pinch, because of their reliability, privacy, and ease. I would assume that others did similar. It would seem that the reliability and privacy are not so, anymore. FWIW – They have not provided a coherent reply to my ticket. Should I get a relevant update, I’ll forward to the list. Lawrence Q. Marshall --------------------------------------------------------------------------------------- This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com ---------------------------------------------------------------------------------------
This is was my thought as well. People always get up in arms about how it's "Public DNS!" but it's really not. It's just well known and used because it's easy to remember. - Mike Bolitho On Tue, Nov 19, 2019 at 9:28 AM Ryan, Spencer <spencer.ryan@netscout.com> wrote:
Are you a CL/L3 customer? Those resolvers have only ever been for “customers” even though they would resolve for anyone. They started injecting NXDOMAIN redirects a while ago for non-customers.
*From:* NANOG <nanog-bounces@nanog.org> *On Behalf Of *Marshall, Quincy *Sent:* Monday, November 18, 2019 12:45 PM *Subject:* Level(3) DNS Spoofing All Domains
This message originated outside of NETSCOUT. Do not click links or open attachments unless you recognize the sender and know the content is safe.
This is mostly informational and may have already hit this group. My google-foo failed me if so.
I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
23.202.231.167
23.217.138.108
My apologies if this is old news.
*Lawrence Q. Marshall*
------------------------------
This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mimecast.com&d=DwMFaQ&c=Hlvprqonr5LuCN9TN65xNw&r=VfFQaWKwN0L3efDXtkWoSUKlJtu8LJ9Ke5bevkfX6C0&m=q6vn3t-QWxYOtFEQ5UhCttLDcerYncizhmA0BXauzSg&s=0udD7os_Gb1eyxuW47ezLZB2f-gk_Ipxso3m4n80kqg&e=> ------------------------------
On Tue, Nov 19, 2019 at 11:47 AM Mike Bolitho <mikebolitho@gmail.com> wrote:
This is was my thought as well. People always get up in arms about how it's "Public DNS!" but it's really not. It's just well known and used because it's easy to remember.
I ask the users of 4.2.2.x where it is stated by the owners of 4.2.2.x that the public may use it, and what expectations they state the public should have of its availability, integrity, and security. Not having a contract with Level3, I would assume no such expectations, and discourage anyone from using 4.2.2.x, Even L3 customers unless they were specifically given it to use by L3. The other 'public DNS providers' outwardly encourage their use by the public. 4.2.2.x does not.
On Tuesday, November 19, 2019 12:49 PM, Mike Bolitho <mikebolitho@gmail.com> said… “This is was my thought as well. People always get up in arms about how it's "Public DNS!" but it's really not. It's just well known and used because it's easy to remember” I am not against their “securing” their hosts. It costs them money to provide the service. I disagree with what they did - Disable the service or only allow local or on-net resolution. How many of (my) clients have miss-typed something and sent their data, unknowingly, to a 3rd party host? (Who’s fault would that be?) That said I AM a L(3) customer. These IPs were provided when the circuit was provisioned for NS resolution. Admittedly, they has indicated, this morning, that we are using the “wrong” Anycast NS and provided a different set; which functioned the same as the “Public” ones. Lawrence Q. Marshall --------------------------------------------------------------------------------------- This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com ---------------------------------------------------------------------------------------
How many of (my) clients have miss-typed something and sent their data, unknowingly, to a 3rd party host? (Who’s fault would that be?)
Yours? They paid you to set up their network properly and you set it up to resolve to Level 3. So if they "unknowingly sent their data" to a third party then it would be your fault. - Mike Bolitho On Tue, Nov 19, 2019 at 11:18 AM Marshall, Quincy <Quincy.Marshall@reged.com> wrote:
*On *Tuesday, November 19, 2019 12:49 PM, Mike Bolitho < mikebolitho@gmail.com> said…
“This is was my thought as well. People always get up in arms about how it's "Public DNS!" but it's really not. It's just well known and used because it's easy to remember”
I am not against their “securing” their hosts. It costs them money to provide the service. I disagree with what they did - Disable the service or only allow local or on-net resolution. How many of (my) clients have miss-typed something and sent their data, unknowingly, to a 3rd party host? (Who’s fault would that be?)
That said I AM a L(3) customer. These IPs were provided when the circuit was provisioned for NS resolution. Admittedly, they has indicated, this morning, that we are using the “wrong” Anycast NS and provided a different set; which functioned the same as the “Public” ones.
*Lawrence Q. Marshall*
------------------------------ This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com ------------------------------
On Tuesday, November 19, 2019 1:35 PM, Mike Bolitho <mikebolitho@gmail.com> said… “How many of (my) clients have miss-typed something and sent their data, unknowingly, to a 3rd party host? (Who’s fault would that be?) Yours? They paid you to set up their network properly and you set it up to resolve to Level 3. So if they "unknowingly sent their data" to a third party then it would be your fault.” If I was retained by my clients to setup, design, configure, and/or maintain, our client’s networks. I would completely agree with you. (FWIW, my internal network would not connect to these host even if one of my user’s fat-fingered the URL.) However, I’m referring to a completely autonomous 3rd party network (Say they type wwww.omb.gov<http://wwww.omb.gov>) Can I be expected to anticipate their user’s/APP DEV’s typos? Lawrence Q. Marshall --------------------------------------------------------------------------------------- This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com ---------------------------------------------------------------------------------------
Wow, news to me, and it's worse than you thought. They're spoofing responses for ALL non-existent domains, not just those starting with a "w": langsam:~# whois unregistereddomaintest.com | head -1 No match for "UNREGISTEREDDOMAINTEST.COM". langsam:~# dig +short a unregistereddomaintest.com @4.2.2.2 23.202.231.167 23.217.138.108 langsam:~# dig +short a unregistereddomaintest.mil @4.2.2.2 23.202.231.167 23.217.138.108 I can't get an NXDOMAIN result from 4.2.2.2 at all. Good to know. Time to reconfigure 10,000 firewalls. Thank you Lawrence. - Cary Wiedemann On Tue, Nov 19, 2019 at 10:35 AM Marshall, Quincy <Quincy.Marshall@reged.com> wrote:
This is mostly informational and may have already hit this group. My google-foo failed me if so.
I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
23.202.231.167
23.217.138.108
My apologies if this is old news.
*Lawrence Q. Marshall*
------------------------------ This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com ------------------------------
Le mar. 19 nov. 2019 à 16:36, Marshall, Quincy <Quincy.Marshall@reged.com> a écrit :
I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2 23.202.231.167 23.217.138.108
It depends of the server you're hitting:
From AS3215 (.fr) $ dig +short w3.dummydomaindoesntexist.org @4.2.2.2 23.217.138.108 23.202.231.167
$ dig +short caseraitvraimentconquilexiste.org @4.2.2.2 23.217.138.108 23.202.231.167 $ dig +short hostname.bind txt ch @4.2.2.2 "pubntp1.lon1.Level3.net"
From AS16276 (.ca): $ dig w3.dummydomaindoesntexist.org @4.2.2.2 ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34998 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
$ dig +short hostname.bind txt ch @4.2.2.2 "cns4.nyc1.Level3.net"
Just to weigh in: Here in Germany, the largest internet provider (Deutsche Telekom) did the same thing. It's basically just a "search guide", it redirects you to a search page and assumes you just had a typo in the URL. Telekom stopped doing that in April, after a user reported them to the district attorney for supposed data manipulation, a misdemeanor. Am 18.11.2019 um 18:45 schrieb Marshall, Quincy:
This is mostly informational and may have already hit this group. My google-foo failed me if so.
I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
23.202.231.167
23.217.138.108
My apologies if this is old news.
*Lawrence Q. Marshall*
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com <http://www.mimecast.com> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
On Tue, 19 Nov 2019 at 10:57, Patrick Schultz <lists-nanog@schultz.top> wrote:
Just to weigh in: Here in Germany, the largest internet provider (Deutsche Telekom) did the same thing. It's basically just a "search guide", it redirects you to a search page and assumes you just had a typo in the URL.
Telekom stopped doing that in April, after a user reported them to the district attorney for supposed data manipulation, a misdemeanor.
If your entire Internet is just the web then it's perhaps not a big deal. But there are a lot of protocols that depend on proper functioning of NXDOMAIN. If you recall, Verisign got in a bunch of trouble for doing that back in the day at the authoritative level.
Frontier and Verizon have been doing it for years. They have simply thumbed their noses at NXDOMAIN. All in the name of capturing data and eyeballs By Any Means Necessary. -mel On Nov 19, 2019, at 8:00 AM, Matthew Pounsett <matt@conundrum.com> wrote: On Tue, 19 Nov 2019 at 10:57, Patrick Schultz <lists-nanog@schultz.top> wrote: Just to weigh in: Here in Germany, the largest internet provider (Deutsche Telekom) did the same thing. It's basically just a "search guide", it redirects you to a search page and assumes you just had a typo in the URL. Telekom stopped doing that in April, after a user reported them to the district attorney for supposed data manipulation, a misdemeanor. If your entire Internet is just the web then it's perhaps not a big deal. But there are a lot of protocols that depend on proper functioning of NXDOMAIN. If you recall, Verisign got in a bunch of trouble for doing that back in the day at the authoritative level.
On Wed, Nov 20, 2019 at 12:07 AM Mel Beckman <mel@beckman.org> wrote:
Frontier and Verizon have been doing it for years. They have simply thumbed their noses at NXDOMAIN. All in the name of capturing data and eyeballs By Any Means Necessary.
Verizon USED to do this on the former UUnet customer cache resolvers (notably: 198.6.1.1 and it's ilk) ... but: $ dig @198.6.1.1 dad.ads123j.com ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2315 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;dad.ads123j.com. IN A ;; AUTHORITY SECTION: com. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1574180221 1800 900 604800 86400 my understanding was that this was discontinued eventually when the 'product': 1) made no appreciable money for the cost of operation 2) paxfire died in a fiew 3) the ProjectManager responsible inside VZB got canned... I didn't think they brought this back to life... I hope they did not :( Maybe you meant the VZ dsl/fios customer cache devices were/are doing this? oh :( ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43555 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;dad.ads123j.com. IN A ;; ANSWER SECTION: dad.ads123j.com. 0 IN A 92.242.140.21 ;; Query time: 22 msec ;; SERVER: 71.250.0.12#53(71.250.0.12) that's unfortunate for all of VZ's landline/dsl/fios folks :( bummer.
-mel
On Nov 19, 2019, at 8:00 AM, Matthew Pounsett <matt@conundrum.com> wrote:
On Tue, 19 Nov 2019 at 10:57, Patrick Schultz <lists-nanog@schultz.top> wrote:
Just to weigh in: Here in Germany, the largest internet provider (Deutsche Telekom) did the same thing. It's basically just a "search guide", it redirects you to a search page and assumes you just had a typo in the URL.
Telekom stopped doing that in April, after a user reported them to the district attorney for supposed data manipulation, a misdemeanor.
If your entire Internet is just the web then it's perhaps not a big deal. But there are a lot of protocols that depend on proper functioning of NXDOMAIN. If you recall, Verisign got in a bunch of trouble for doing that back in the day at the authoritative level.
On 11/18/19 12:45, Marshall, Quincy wrote:
This is mostly informational and may have already hit this group. My google-foo failed me if so.
I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
23.202.231.167
23.217.138.108
My apologies if this is old news.
*Lawrence Q. Marshall*
Yep, old news. :) It's their "SearchGuide(TM)" nonsense. You can opt out, but as of about 1.5? months ago it's almost impossible to because the applet was serving a 500, and now it just refuses to work *despite* serving a 200. And it's flaky as all else - when the applet goes down, the resolvers take the ...aherm, "liberty" of automatically enabling SearchGuide during the outage. You can either attempt it via going to e.g.: http://searchguide.level3.com/search/?q=foo and clicking the "Settings" link in the upper right. If you get "There was a problem retrieving your settings from the server. Please try your request again later.", then congrats! You won the prize of not being able to change the redirect. Alternatively, you can TRY running something like this: https://pastebin.com/zktqqCxU but AGAIN, it depends on that endpoint actually being *accessible*. Which it increasingly is not. I've moved on from level3 for resolvers; their reliability's been declining but this nonsense just tanked them for me. Lately I've been using Verisign's resolvers (64.6.64.6 and 64.6.65.6) for upstream on my cachers, and I've been pretty pleased with it. They seem to express a focus on privacy, which is nice, but most importantly- records seem to get through unmolested, NXDOMAINs and all. Just as it should be. ;)
On 11/18/19 12:45 PM, Marshall, Quincy wrote:
I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.
As far as I know, this has been going on for quite some time at least for folks not on Level3. I know I've seen it as far back as 5-7 years ago from various vantage points. I guess it's also possible somebody was intercepting those well known anycast addresses between me and Level3, but the "search guide" it redirected to didn't implicate any obvious suspects. It fails DNSSEC checking, of course, so if you have DNSSEC validation turned on at your recursive resolver, you should get something else (probably SERVFAIL). -- Brandon Martin
participants (12)
-
Billy Crook
-
Brandon Martin
-
brent timothy saner
-
Cary Wiedemann
-
Christopher Morrow
-
Marshall, Quincy
-
Matthew Pounsett
-
Mel Beckman
-
Mike Bolitho
-
Patrick Schultz
-
Pierre Emeriaud
-
Ryan, Spencer