Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: FW: Root Domain Server Hacked.

  • From: George Herbert
  • Date: Fri Jul 02 22:39:57 1999


Sean Donelan <SEAN@SDG.DRA.COM>
>rmeyer@mhsc.COM (Roeland M.J. Meyer) writes:
>>That's not what Paul said.
>>> Randy Bush writes:
>>> this is false and specious garbage
>
>Both statements are true.  You can hijack domain names and insert
>bogus data in caches without hacking any root servers.  It is much
>easier to just e-mail a domain modify template to NSI, and insert
>some bogus IP addresses for certain names.  Similar to what happened
>to AOL last year (actually it appears to be a glue issue on some NS
>records).
>I haven't seen NSI official statements myself, only the news reports.
>But there is no evidence any of the independently operated root-name
>servers were hacked.  If any systems were hacked, they were NSI's
>registration process.
>I think some people are getting too wrapped up in some really exotic
>attacks on DNS, when the simple ones still work.  Maybe BEFORE-UPDATE
>will get finished now.

Won't help.  My sources are confirming it was a glue record
issue... someone did the rough equivalent of putting in a new
domain registration with servers WWW.NETWORKSOLUTIONS.NET and
WWW.NETSOL.NET as their nameservers, but with the IPs of the
real ICANN webservers.  The problem is that the nameserver
entries and glue records in general aren't sanity checked
(or weren't before today).  The real solution eventually
has to be some sort requested nameserver forward lookup IP
match confirmation prior to accepting a nameserver record in
new/change applications; if nameserver FOO.BAR.COM is listed
on an application and its IP is listed as 123.4.5.6 but
nslookup foo.bar.com shows it at 78.9.10.11 then the
application should be held until the discrepancy is
resolved properly.

I remember suggesting this to Mark Kosters in, oh, April 1993?


-george william herbert
gherbert@crl.com






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.