North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: has anyone notice this ?
- From: Paul Vixie
- Date: Sun Jun 29 22:44:07 2003
firstname.lastname@example.org (Jay Hennigan) writes:
> Is Time-Warner associated with Charter Communications? There's a thread
> on Slashdot about their name servers being hijacked to point all requests
> to a set of rogue proxy servers.
s/name/dhcp/. specifically, the article states:
Of course, under Windows, the default is to accept the default dns
domain specified by a DHCP server for the PC's ethernet
connection. There are settings to disable this, but I hadn't
thought about it until now. It turns out, Charter Communications'
DHCP servers were infiltrated and were providing p5115.tdko.com as
the 'Connection-specific DNS suffix', causing all non-hardened
Windows (whatever that means in a Windows context) machines to get
lookups from a hijacked subdomain DNS server which simply responded
to every query with a set of 3 addresses (126.96.36.199,
188.8.131.52, 184.108.40.206). ...
i suspect that a dhcp client's willingness to install a "dns search list"
from the dhcp reply is universal (and not just limited to windows clients)
and i've always thought this was a terrible idea. if i type "ssh foo" then
i want foo.vix.com, no matter who the local dhcp server was configured by.
but when i went about removing this sick behaviour from isc dhcp, it turned
out that many people depend on dhcp to get the only "dns search list" they
ever have. the world seems very strange to me sometimes.