Re: DNS Errors

From: Jonathan Larmour <[email protected]>
Date: Thu, 17 Jul 1997 19:25:05 +0100

At 10:00 17/07/97 -0700, Dave Zarzycki wrote:
>>I'm getting lots of DNS errors today from SD and SV - and when I turn
>>off the proxy server and use my own dns it usually works OK.
>>
>>Any ideas? Are others noticing this too?
>
>Our friends at InterNIC were having technical difficulties with the "root
>nameservers" accidentally updating themselves with corrupt .com and .net
>databases. The problem is being resolved and fixed.
>
>http://www.netstat.net/news.html

Apparently, it wasn't accidental. I got these from usenet:

Date: Tue Jul 15 23:25:12 BST 1997
From: Francois Beauregard <FBorg@fbli.com>
Subject: Re: DNS spoofing attack against the InterNIC?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Info: Evaluation version at alpha.fbli.com
X-Info: Message for you sir !
Organization: none
Lines: 42

At 00:40 97-07-14 GMT, Cricket Liu wrote:
>Does anyone else get weird results when loading
>http://www.internic.net/? My default name server
>(ce1.res.dns.psi.net, on PSINet) reports a non-authoritative answer of
>207.51.48.15, which reverse maps to nyc.alternic.net. The
>authoritative name servers for internic.net map www.internic.net to
>198.49.45.10, 204.159.111.101 and 204.179.186.65.
>
>(In case you don't have a web browser handy, loading
>http://www.internic.net/ with this setup brings up the AlterNIC's home
>page.)
>
>My best guess is that someone has mounted a DNS spoofing attack
>against one or more name servers on the Internet. Anyone else see
>this with their name servers? If so, any indications of which
>vulnerability the attacker capitalized on to spoof the name server?

Hi Cricket

This as been discussed on Nanog for a couple of days already... The guys
from Alternic themselves are responsible of this it seems... They did it in
"retaliation" if I can say to the claim by NSI that they owned the .COM,
.EDU and .ORG domain...

It's not really nice, but it gets the message across...

Sincerely

----------------------------------
Francois Beauregard

and the following:

From: Jason Brown <jbrown@interalpha.co.uk>
Subject: Re: .COM and .NET out of order ?
Date: Thu Jul 17 14:27:09 BST 1997
Organization: Inter@lpha Net
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Sender: jbrown@jason.interalpha.net
To: Pierre Beyssac <pb@sidhe.hsc.fr>
In-Reply-To: <slrn5srsc9.55c.pb@sidhe.hsc.fr>
Lines: 36

On 17 Jul 1997, Pierre Beyssac wrote:

> It seems that the update for .COM dated July 17th, and .NET dated July
> 16th, lack most domains (or are empty).
>
> I first thought it was a local problem at my site, but it seems it
> comes from the official root servers (I checked A, B and
> C.ROOT-SERVERS.NET).
>
> .ORG and .EDU are apparently still ok.
There appears to have been an attack on the internic name servers by a
third
party, which will result in major problems in reaching .com and .net sites
by your name server if it has to go to the root-servers and thus Internic
to
get any data.

Your dns cache probably has good data in it, so do not restart your dns
and
you may survive longer than us! (We did some minor maintenance and after
the
restart our dns is now in a major bind)

The symptons are 'unknown host' on known good sites in the US.

We have been advised that the way forward to 'fix' the problem is to go to
newer version of Bind if you are running a Unix dns.

We are going to version 4.9.6, and NOT invoking the ncache option (caches
negative gets!)

The problems will still persist for a while as some of the root servers
still have a problem , in that they have not been upgraded yet.

i.root-servers.net and h.root-servers.net are known GOOD servers.

Origin UK,323 Cambridge Science Park,Cambridge,England. Tel: +44(1223)423355
------[ Do not think that every sad-eyed woman has loved and lost... ]------
April 12th! Ra!Ra!----[ she may have got him. -Anon ]-----April 12th! Ra!Ra!
Help fight spam! http://spam.abuse.net/ These opinions are all my own fault
Received on Thu Jul 17 1997 - 11:38:43 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:47 MST