Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: DNS poisoning or ?? (Found by Paul daSilva)

from [Bill Stout] Network Security [Permanent Link]
Subject: RE: DNS poisoning or ?? (Found by Paul daSilva)
Date: Mon, 29 Jan 2007 08:45:13 -0800 

Brilliant!  You found the source!  I'll go contact them right away.

Thanks for your help!

Bill Stout
GreenBorder 


-----Original Message-----
From: Paul daSilva [mailto:pdasilva@polr.org] 
Sent: Monday, January 29, 2007 8:22 AM
To: Bill Stout; security-basics@securityfocus.com
Subject: Re: DNS poisoning or ??
Importance: High

Hi Bill,

This indeed sounds like a problem, and I do see something very fishy 
going on:

Knowing that the suspected IP address is on the Internap network, if you

issue an nslookup against one of the Internap DNS servers for 
information regarding your domain (greenborder.com), you will notice 
that the Internap DNS server is handing out false/misleading information

for mail.greenborder.com when #1) they don't own the domain in question,

and #2) such DNS record does not exist for the domain in question.

    $ whois internap.com
    [...]
    Domain servers in listed order:

       NS-A.PNAP.NET                64.94.123.4
       NS-B.PNAP.NET                64.94.123.36
       NS-C.PNAP.NET                64.95.61.4
       NS-D.PNAP.NET                64.95.61.36
    [...]


    $ nslookup
     > server 64.94.123.36
    Default server: 64.94.123.36
    Address: 64.94.123.36#53
     > mail.greenborder.com
    Server:         64.94.123.36
    Address:        64.94.123.36#53

    Name:   mail.greenborder.com
    Address: 216.52.7.214


Interestingly enough, if you lookup the same record against the primary 
DNS servers listed when you issue a $ whois 216.52.7.214, the DNS 
servers NS1.PNAP.NET (206.253.194.65) and NS2.PNAP.NET (206.253.194.97) 
cannot resolve mail.greenborder.com (as they should, since it does not 
exist).  So the issue at hand is being propagated by the other DNS 
servers listed above NS-A through NS-D.PNAP.NET (on the 64.95.x.x
network).

I would highly suggest that you email noc@internap.com and 
abuse@internap.com citing your problem.  Internap should be able to find

the culprit on their network and either terminate their connection or 
resolve whatever the issue on their side.

Unless this is an old/outdated record that you have not cleaned up, I 
would consider this a DNS poisoning attack.


Cheers,
Paul




Bill Stout wrote:

Hello,

I'm working through an intermittent incoming email bounce problem I

hope

someone can shed some light on.  Over the last week, a few major
companies are reporting intermittent bounces when sending email to us
(maybe 5% of the time).  When they do an MX lookup they occasionally
obtain a fake hostname and IP address.  In their email body the

response

looks like this:

  ... connect to mail.greenborder.com [216.52.7.214]: Connection timed
out ...

I do not have a host named 'mail.greenborder.com' in my DNS records.
The IP address is not a mail server, it's an Internap address.
http://www.dnsstuff.com/tools/whois.ch?ip=216.52.7.214

I'm suspecting DNS cache poisoning, but it's happening at remote sites
and I don't have much data go on.  Since these are larger companies I
don't expect they have vulnerable DNS servers.

My MX records are here:
http://www.dnsstuff.com/tools/lookup.ch?name=greenborder.com&type=MX
(Temporarily modified for troubleshooting purposes)

greenborder.com. MX IN 7200 USC1.MAILHOSTSXODE.NET. [Preference = 10] 
greenborder.com. MX IN 7200 MAILGATE.greenborder.com. [Preference = 1]



greenborder.com. MX IN 7200 USP1.MAILHOSTSXODE.NET. [Preference = 5] 
greenborder.com. NS IN 7200 NS31.WORLDNIC.com. 
greenborder.com. NS IN 7200 NS32.WORLDNIC.com. 
MAILGATE.greenborder.com. A IN 7200 66.123.15.52

Our DNS records are hosted by Network Solutions, so I called them
looking for help from one of their security experts.  Of course

Customer

Support answers, and their guys are _absolutely clueless_ on how DNS
works.  When I mention bounces due to MX record lookups they keep
referring me to 'the provider who hosts my email service', apparently
reading from a flowchart script, and speaking in a fake American

accent.

When I mention MX records are DNS records, they say 'you have exceeded
the ability of customer support, we need to forward this to
engineering'.  I told them it was urgent, to escalate to security, and
asked for someone in their security team to call me.  I'm not

expecting

much help from Network Solutions, I think all they do is produce

banner

ads and ask you to buy something each time you talk to them.

Any knowledgeable help would be appreciated.

Thanks in advance,

Bill Stout
GreenBorder
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Notebook policy (need advice), Steveb
Next by Date:  RE: DNS poisoning or ??, Devin Rambo
Previous by Thread:  Re: DNS poisoning or ??, Paul daSilva
Next by Thread:  RE: DNS poisoning or ?? (Found by Paul daSilva), Bill Stout
Indexes:  [Date] [Thread] [Top] [All Lists]