BING DNS Hijack?
Dan wrote in with some interesting results after a co-worker reported an unusual error.
Is anyone else having similar problems/results?
A dns lookup shows the NS records pointing to servers at JOMAX.NET
$ dig search.live.com
; <<>> DiG 9.7.0-P1 <<>> search.live.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15688
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;search.live.com
. IN A
;; ANSWER SECTION:
search.live.com
. 60 IN A 69.25.212.52
search.live.com
. 60 IN A 8.15.228.166
;; AUTHORITY SECTION:
search.live.com
. 65535 IN NS WSC2.JOMAX.NET
.
search.live.com
. 65535 IN NS WSC1.JOMAX.NET
.
;; Query time: 43 msec
;; SERVER: 10.1.200.16#53(10.1.200.16)
;; WHEN: Wed Jul 20 08:37:46 2011
;; MSG SIZE rcvd: 121
A whois on live.com
is very interesting as well:
~$ whois live.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Server Name: LIVE.COM.ZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
IP Address: 69.41.185.200
Registrar: TUCOWS.COM
CO.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net
Server Name: LIVE.COM.ITS-NOT-ROCKET-SCIENCE-MR-RIKY-BLAIKIE.BURTYB.COM
IP Address: 209.85.6.100
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Server Name: LIVE.COM.IS.N0T.AS.1337.AS.GULLI.COM
IP Address: 80.190.192.39
Registrar: EPAG DOMAINSERVICES GMBH
Whois Server: whois.enterprice.net
Referral URL: http://www.enterprice.net
Server Name: LIVE.COM.IS.0WN3D.BY.GULLI.COM
IP Address: 80.190.192.39
Registrar: EPAG DOMAINSERVICES GMBH
Whois Server: whois.enterprice.net
Referral URL: http://www.enterprice.net
Domain Name: LIVE.COM
Registrar: CSC CORPORATE DOMAINS, INC.
Whois Server: whois.corporatedomains.com
Referral URL: http://www.cscglobal.com
Name Server: NS1.MSFT.NET
Name Server: NS2.MSFT.NET
Name Server: NS3.MSFT.NET
Name Server: NS4.MSFT.NET
Name Server: NS5.MSFT.NET
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 08-apr-2009
Creation Date: 28-dec-1994
Expiration Date: 27-dec-2017
>>> Last update of whois database: Wed, 20 Jul 2011 12:28:01 UTC <<<
Dan followed up with:
Additional: we use Global Crossing for our ISP, all of their DNS servers (which we use as forwarders) produce the same results. Other name servers I checked (OpenDNS, AT&T) looked okay. As of right now, users get the Bing webpage when they go to http://search.live.com, though the IP addresses haven't changed.
Something doesn't smell right about this.
Indeed
Christopher Carboni - Handler On Duty
Comments
David
Jul 20th 2011
1 decade ago
It is basically, what I call a form of "WHOIS Spam"
When you register a DNS server with the registrar, for example NS1.EXAMPLE.COM, a WHOIS entry is created for the nameserver.
If your nameserver happens to be named
NS1.blahblahblah.com.foobar.example.com
then a WHOIS lookup for blahblahblah.com
will find your nameserver in the WHOIS database.
And nameserver addresses are displayed in priority over domain names.
Mysid
Jul 20th 2011
1 decade ago
Paxfire == stealin' yer queries since 2004... maybe the bing-lawyers should give gblx a call?
internet-user
Jul 20th 2011
1 decade ago
Greg-IID
Jul 20th 2011
1 decade ago
Nicholas Weaver
Jul 20th 2011
1 decade ago
Nicholas Weaver
Jul 20th 2011
1 decade ago
On a WindowsXP PC running tcpview from sysinternals, I saw connections to strange IPs,
when I was connecting to bing (http tcp port 80)
So I wrote to my hostmaster:
> -----------------------------------------------
> From: Heinrich Elsigan
> Sent: monday, 26. July 2010 03:32
> To: hostmaster@chello.at
> Subject: DNS Problem
> Dear hostmaster,
> I retain via DHCP from my cabelmodem the
> following name servers ...
> Are there poisoned, cause when I make a
> nslookup www.bing.com or www.irs.gov I get
> strange IPs, that I don't get from anywhere else:
> nslookup ww.bing.com.
> Name: a134.g.akamai.net
> Addresses: 78.128.147.42, 78.128.147.18
> Aliases: www.bing.com,
> search.ms.com.edgesuite.net
>
> nslookup www.irs.gov.
> Name: a321.g.akamai.net
> Addresses: 78.128.147.26, 78.128.147.24
> Aliases: www.irs.gov,
> www.edgeredirector.irs.akadns.net
>
> Kind Regards, Heinrich.
Hostmaster didn't help me, so I talked to other networking expert guys. They mean:
"Don't be paranoid, thats a cloudy solution, where every ISP directs search requests to another server, no more round robin at all, maybe they like to make statistics or ..."
I answered: "Ah cool, so enduser will never know if its dns poisining or a cloud solution!"
heinrich.elsigan
Jul 20th 2011
1 decade ago
www.visa.com
www.f-secure.com
www.trendmicro.com
For example www.visa.com is mostley mapped to a294.g.akamai.net
I got these IPs:
2.21.246.80, 2.21.246.79
2.20.182.9, 2.20.182.49
193.170.140.79, 193.170.140.86
See http://www.akamai.com
or ask google:
http://www.google.com/#q=site:akamai.net&num=100&hl=en&newwindow=1&safe=off&start=0&sa=N
Regards heinrich.
heinrich.elsigan
Jul 20th 2011
1 decade ago
We spent the last 20 years doing away with what they now call ... the cloud! We built data centers to handle load, and made peering arrangements to various backbones to carry our traffic quickly.
Now we are in effect going backwards but doing so in a very awkward way. All of these cloud providers have limitations on what and how you deploy. Next, you can add more virtual kick to your cloud in an instant.
But is it your cloud? NO! It is something you share, and something that breaks out serious security threats every step of the way. You controlled your data center, but you do not control the cloud. You controlled your data but now the cloud controls your data. You secured your data, but now the cloud secures your data. You knew when something was broken in your data center and were able to offload to another machine or cluster yourself, now you have no clue when some part of your cloud malfunctions.
You had everything, and now you have nothing!
The next problem is security form the end-user perspective. What comes from where? Is it supposed to be that way? Can it be trusted? NO, it cannot!
Cloud is a cheap way to do things, but it forfeits all of the security we have built into the Internet in one quick shot! I for one do not support anything cloud based, with perhaps the exception of video content delivery which must not have lag time or it will fail.
We have enough of a hard time identifying real threats without all of these virtual crap shooters surrounding us! Soon institutions will be forced to block cloud IP ranges to stay secure, and then we will see what happens. The cloud then equals a puddle we step around. It will fail unless something changes fast.
Al of Your Data Center
Jul 21st 2011
1 decade ago
web tasar&#305;m
Jul 24th 2011
1 decade ago