BING DNS Hijack?

Published: 2011-07-20. Last Updated: 2011-07-20 13:52:23 UTC
by Chris Carboni (Version: 2)
10 comment(s)

Dan wrote in with some interesting results after a co-worker reported an unusual error.

Is anyone else having similar problems/results?

A dns lookup shows the NS records pointing to servers at JOMAX.NET


$ dig search.live.com
 
; <<>> DiG 9.7.0-P1 <<>> search.live.com
 

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15688
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;search.live.com
 
.               IN      A

;; ANSWER SECTION:
search.live.com
 
.        60      IN      A       69.25.212.52
search.live.com
 
.        60      IN      A       8.15.228.166

;; AUTHORITY SECTION:
search.live.com
 
.        65535   IN      NS      WSC2.JOMAX.NET
 
.
search.live.com
 
.        65535   IN      NS      WSC1.JOMAX.NET
 
.

;; Query time: 43 msec
;; SERVER: 10.1.200.16#53(10.1.200.16)
;; WHEN: Wed Jul 20 08:37:46 2011
;; MSG SIZE  rcvd: 121

A whois on live.com
 
is very interesting as well:

~$ whois live.com
 
Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net

for detailed information.

  Server Name: LIVE.COM.ZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM

  IP Address: 69.41.185.200
  Registrar: TUCOWS.COM
 
CO.
  Whois Server: whois.tucows.com

  Referral URL: http://domainhelp.opensrs.net

  Server Name: LIVE.COM.ITS-NOT-ROCKET-SCIENCE-MR-RIKY-BLAIKIE.BURTYB.COM

  IP Address: 209.85.6.100
  Registrar: ENOM, INC.
  Whois Server: whois.enom.com

  Referral URL: http://www.enom.com
  Server Name: LIVE.COM.IS.N0T.AS.1337.AS.GULLI.COM
  IP Address: 80.190.192.39
  Registrar: EPAG DOMAINSERVICES GMBH
  Whois Server: whois.enterprice.net
 

  Referral URL: http://www.enterprice.net
  Server Name: LIVE.COM.IS.0WN3D.BY.GULLI.COM
  IP Address: 80.190.192.39
  Registrar: EPAG DOMAINSERVICES GMBH
  Whois Server: whois.enterprice.net
 

  Referral URL: http://www.enterprice.net
  Domain Name: LIVE.COM
  Registrar: CSC CORPORATE DOMAINS, INC.
  Whois Server: whois.corporatedomains.com
 

  Referral URL: http://www.cscglobal.com
  Name Server: NS1.MSFT.NET
  Name Server: NS2.MSFT.NET
  Name Server: NS3.MSFT.NET
  Name Server: NS4.MSFT.NET
  Name Server: NS5.MSFT.NET
 

  Status: clientDeleteProhibited
  Status: clientTransferProhibited
  Status: clientUpdateProhibited
  Updated Date: 08-apr-2009
  Creation Date: 28-dec-1994
  Expiration Date: 27-dec-2017

>>> Last update of whois database: Wed, 20 Jul 2011 12:28:01 UTC <<<

Dan followed up with:

Additional: we use Global Crossing for our ISP, all of their DNS servers (which we use as forwarders) produce the same results.  Other name servers I checked (OpenDNS, AT&T) looked okay.  As of right now, users get the Bing webpage when they go to http://search.live.com, though the IP addresses haven't changed.

Something doesn't smell right about this.

Indeed

Christopher Carboni - Handler On Duty

Keywords:
10 comment(s)

Comments

The whois stuff is a known issue with the way whois for domain names works and does not indicate a problem. See http://lists.grok.org.uk/pipermail/full-disclosure/2003-December/015111.html
Your WHOIS lookup is returning a DNS Domain server address somebody registered.

It is basically, what I call a form of "WHOIS Spam"

When you register a DNS server with the registrar, for example NS1.EXAMPLE.COM, a WHOIS entry is created for the nameserver.

If your nameserver happens to be named
NS1.blahblahblah.com.foobar.example.com

then a WHOIS lookup for blahblahblah.com
will find your nameserver in the WHOIS database.

And nameserver addresses are displayed in priority over domain names.



If you get a result which points to jomax.net you k.ow that the DNS server is frontended by a paxfire device.

Paxfire == stealin' yer queries since 2004... maybe the bing-lawyers should give gblx a call?
This appears to be an ISP-specific configuration for a high-traffic hostname. When querying a Global Crossing DNS server, the A records for search.live.com are pointing to IPs owned by Internap and Level3, both of which provide CDN services. Based on my experience, IPs in these netblocks have long been used for content delivery for other popular hostnames. Additionally, Level3 is currently in the process of acquiring Global Crossing.
This is Paxfire. Paxfire hijacks Yahoo, Bing, and sometimes Google, in cooperation with the ISP to act as a MitM through these proxies. This is in addition to Paxfire's "Normal" behavior of wildcarding NXDOMAINs. We generically detect this in Netalyzr ( http://netalyzr.icsi.berkeley.edu ) .
It is Global Crossing's DNS servers, looking a little more at our Netalyzr data we see that IP being served by various global crossing resolvers but no other.
I know this problem since 2010.
On a WindowsXP PC running tcpview from sysinternals, I saw connections to strange IPs,
when I was connecting to bing (http tcp port 80)
So I wrote to my hostmaster:
> -----------------------------------------------
> From: Heinrich Elsigan
> Sent: monday, 26. July 2010 03:32
> To: hostmaster@chello.at
> Subject: DNS Problem
> Dear hostmaster,
> I retain via DHCP from my cabelmodem the
> following name servers ...
> Are there poisoned, cause when I make a
> nslookup www.bing.com or www.irs.gov I get
> strange IPs, that I don't get from anywhere else:
> nslookup ww.bing.com.
> Name: a134.g.akamai.net
> Addresses: 78.128.147.42, 78.128.147.18
> Aliases: www.bing.com,
> search.ms.com.edgesuite.net
>
> nslookup www.irs.gov.
> Name: a321.g.akamai.net
> Addresses: 78.128.147.26, 78.128.147.24
> Aliases: www.irs.gov,
> www.edgeredirector.irs.akadns.net
>
> Kind Regards, Heinrich.

Hostmaster didn't help me, so I talked to other networking expert guys. They mean:
"Don't be paranoid, thats a cloudy solution, where every ISP directs search requests to another server, no more round robin at all, maybe they like to make statistics or ..."
I answered: "Ah cool, so enduser will never know if its dns poisining or a cloud solution!"
Take a look, at the following FQDN:
www.visa.com
www.f-secure.com
www.trendmicro.com

For example www.visa.com is mostley mapped to a294.g.akamai.net
I got these IPs:
2.21.246.80, 2.21.246.79
2.20.182.9, 2.20.182.49
193.170.140.79, 193.170.140.86

See http://www.akamai.com
or ask google:
http://www.google.com/#q=site:akamai.net&num=100&hl=en&newwindow=1&safe=off&start=0&sa=N

Regards heinrich.
Cloudy is the best way to describe the web now.

We spent the last 20 years doing away with what they now call ... the cloud! We built data centers to handle load, and made peering arrangements to various backbones to carry our traffic quickly.

Now we are in effect going backwards but doing so in a very awkward way. All of these cloud providers have limitations on what and how you deploy. Next, you can add more virtual kick to your cloud in an instant.

But is it your cloud? NO! It is something you share, and something that breaks out serious security threats every step of the way. You controlled your data center, but you do not control the cloud. You controlled your data but now the cloud controls your data. You secured your data, but now the cloud secures your data. You knew when something was broken in your data center and were able to offload to another machine or cluster yourself, now you have no clue when some part of your cloud malfunctions.

You had everything, and now you have nothing!

The next problem is security form the end-user perspective. What comes from where? Is it supposed to be that way? Can it be trusted? NO, it cannot!

Cloud is a cheap way to do things, but it forfeits all of the security we have built into the Internet in one quick shot! I for one do not support anything cloud based, with perhaps the exception of video content delivery which must not have lag time or it will fail.

We have enough of a hard time identifying real threats without all of these virtual crap shooters surrounding us! Soon institutions will be forced to block cloud IP ranges to stay secure, and then we will see what happens. The cloud then equals a puddle we step around. It will fail unless something changes fast.
and I thing it is a who is spam also used by small domain sellers

Diary Archives