DNS Hijacking: The largest single breach of privacy and security thus far online...

From: Tony (ntBugTraq_at_ATTRON.COM)
Date: 09/16/03

  • Next message: Brian Bergin: "Re: ntbackup & MS SQL 2k SP3 on Server 2003"
    Date:         Tue, 16 Sep 2003 04:39:05 -0500

    This is one of the most flagrant abuses of the public trust that I have
    seen in a long time and it is important that people understand the impact
    that it will have on their use of the Internet.

    In a reckless fashion, Verisign has seized control of every non-existent
    domain, zone, and DNS record in the .com and .net top-level domains
    around 12:00pm EDT on September 15, 2003. Their so-called 'Site Finder
    service' causes any DNS lookup for a non-existent zone beneath .com and
    .net to resolve to an IP address under Verisign's control. For instance,
    if you type ww.company.net (missing the third 'w') you will be directed
    to a Verisign web site without your prior knowledge or consent.

    This hijacking of namespace was announced by mlarson@verisign.com on a
    public mailing list of network administrators many hours AFTER the change
    was implemented. I am not aware of any formal or informal attempt to
    involve traditional Internet standards bodies in this decision.

    What this Means to Your Network

    Every mistyped URL, mistaken DNS query, email to a removed mail server,
    and other traffic is redirected to Verisign's network for their
    collection and use.

    Your customers who mistype your web address (like ww.company.net) will be
    redirected to a Verisign web site containing content of their choosing.

    All domain-level cookies are sent to Verisign when a mistyped address is
    entered for a lower-level-domain (visiting incorrect.store.company.net
    sends all .company.com and .store.company.com-level cookies to Verisign's
    web server) Technically, this must be disclosed in every privacy policy
    on every commercial web site in the US...

    Any application that expects a NXDOMAIN response to an invalid DNS lookup
    in .com and .net will no longer receive such a reply. This could wreak
    havoc on spam filters, network analysis tools, intrusion detection, and
    other infrastructure-supporting network services that have previously
    functioned as expected.

    The IP that is currently being used in response to all invalid queries
    listens on port 25 (SMTP) and appears to respond with exactly the same
    pattern for each SMTP session.

    New resource-exhaustion attacks on caching name servers are possible and
    likely. Diagnosing DNS problems has become an order of magnitude more

    Non-lowest-precedence mail exchangers will not receive mail if the
    primary mail exchanger's address record is removed/unavailable.

    These are simply a few of the primary effects that will happen as a
    matter of course. There are untold new methods of abuse and misuse
    available to employees, contractors, and owners of Verisign's network
    devices (who issues SSL certificates.) Not to mention the additional
    'useless traffic' generated by unintended TCP connections.

    Mitigating Factors

    This redirection will most likely cause a denial-of-service on the
    Verisign network preventing a large portion of the traffic from reaching

    If we act quickly and collectively we can minimize the amount of traffic
    misdirected from our systems.

    What Can You Do?

    If you reside in the US, call, email, and fax your representatives. Tell
    them that Verisign is no longer capable of administrating the
    infrastructure with which they have been entrusted. Urge them to draft a
    resolution to remove their authority to operate .com/.net and immediately
    delegate that authority to an alternate entity. This is not the first
    time that the public trust has been violated by Verisign and it will not
    be the last unless their custodial role is minimized.

    Redirect traffic for Verisign's 'Site Finder system' IP range to a server
    under your control and put up a web site there describing the situation.
    Note that there is a 15-minute timeout on the A record for the wildcard
    entry. This means that they can change the IP in less than 15 minutes.
    It is currently which is part of a /24 (256 addresses) from
    an InterNAP /16 (65536 addresses.)

    Encourage your upstream ISP(s) to null route traffic for these Verisign
    IP addresses or change the behavior of their name servers to revert to
    the previous non-wildcard status. Unfortunately, changes to the DNS
    system can be catastrophic for network connectivity and should be
    undertaken only as a last resort by experienced DNS admins. Modifying
    DNS server operation will most likely lead to unforeseen fallout in the

    Concise overview of the Domain Name System:

    The Definitive Guide to DNS:

    Verisign's Description of their 'Search System':

    Slashdot discussion of this issue:

    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available.  And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

  • Next message: Brian Bergin: "Re: ntbackup & MS SQL 2k SP3 on Server 2003"

    Relevant Pages

    • Re: DNS Hijacking: The largest single breach of privacy and security thus far online...
      ... Verisign has seized control of every non-existent ... Their so-called 'Site Finder' service causes any DNS ... server records are also subject to this redirection. ... What this Means to Your Network ...
    • Re: Help with initial small org AD setup convention when using DMZ network
      ... Consider using Dynamic DNS internally (aka Active Directory Integrated ... > firewall which then connects the public IP dmz network to a private IP ... > domain name for such subnets based on the nearest airport code, ... > servers to serve acme.com names for external users. ...
    • Re: About DNS naming convention for Active Directory
      ... Here's what I did so far, I set up a private network consists of the ... I did an in-place upgrade of the NT4 PDC to Active Directory 2003, ... I had no DNS service at all. ... Joined the 2003 Server as a member server and that went well too. ...
    • Re: IE cant connect to any sites
      ... On the General tab in the Temporary Internet Files Folder, ... Click on "LAN Settings" and make sure everything is blank, ... Network settings ... IP address automatically", click on the DNS tab, disable DNS here, click ...
    • Re: IE connection issue
      ... Click on "LAN Settings" and make sure everything is blank, ... Network settings ... IP address automatically", click on the DNS tab, disable DNS here, click ... To restore damaged or corrupt Winsock files. ...