Hi Paul,
Thank you for your help again. Although Internap hasn't emailed back
yet, they've already fixed their DNS records. The false hostnames I did
manage to capture are:
mail.greenborder.com False Address: 216.52.7.214
www.greenborder.com False Address: 216.52.7.212
ftp.greenborder.com False Address: 216.52.7.210
These are not stale, we have not used these IPs before.
I've asked them for dates and other hostnames which may have been
affected.
Bill Stout
GreenBorder
-----Original Message-----
From: Bill Stout
Sent: Monday, January 29, 2007 8:45 AM
To: 'Paul daSilva'; security-basics@securityfocus.com
Subject: RE: DNS poisoning or ?? (Found by Paul daSilva)
Brilliant! You found the source! I'll go contact them right away.
Thanks for your help!
Bill Stout
GreenBorder
-----Original Message-----
From: Paul daSilva [mailto:pdasilva@polr.org]
Sent: Monday, January 29, 2007 8:22 AM
To: Bill Stout; security-basics@securityfocus.com
Subject: Re: DNS poisoning or ??
Importance: High
Hi Bill,
This indeed sounds like a problem, and I do see something very fishy
going on:
Knowing that the suspected IP address is on the Internap network, if you
issue an nslookup against one of the Internap DNS servers for
information regarding your domain (greenborder.com), you will notice
that the Internap DNS server is handing out false/misleading information
for mail.greenborder.com when #1) they don't own the domain in question,
and #2) such DNS record does not exist for the domain in question.
$ whois internap.com
[...]
Domain servers in listed order:
NS-A.PNAP.NET 64.94.123.4
NS-B.PNAP.NET 64.94.123.36
NS-C.PNAP.NET 64.95.61.4
NS-D.PNAP.NET 64.95.61.36
[...]
$ nslookup
> server 64.94.123.36
Default server: 64.94.123.36
Address: 64.94.123.36#53
> mail.greenborder.com
Server: 64.94.123.36
Address: 64.94.123.36#53
Name: mail.greenborder.com
Address: 216.52.7.214
Interestingly enough, if you lookup the same record against the primary
DNS servers listed when you issue a $ whois 216.52.7.214, the DNS
servers NS1.PNAP.NET (206.253.194.65) and NS2.PNAP.NET (206.253.194.97)
cannot resolve mail.greenborder.com (as they should, since it does not
exist). So the issue at hand is being propagated by the other DNS
servers listed above NS-A through NS-D.PNAP.NET (on the 64.95.x.x
network).
I would highly suggest that you email noc@internap.com and
abuse@internap.com citing your problem. Internap should be able to find
the culprit on their network and either terminate their connection or
resolve whatever the issue on their side.
Unless this is an old/outdated record that you have not cleaned up, I
would consider this a DNS poisoning attack.
Cheers,
Paul
Bill Stout wrote:
Hello,
I'm working through an intermittent incoming email bounce problem I
hope
someone can shed some light on. Over the last week, a few major
companies are reporting intermittent bounces when sending email to us
(maybe 5% of the time). When they do an MX lookup they occasionally
obtain a fake hostname and IP address. In their email body the
response
looks like this:
... connect to mail.greenborder.com [216.52.7.214]: Connection timed
out ...
I do not have a host named 'mail.greenborder.com' in my DNS records.
The IP address is not a mail server, it's an Internap address.
http://www.dnsstuff.com/tools/whois.ch?ip=216.52.7.214
I'm suspecting DNS cache poisoning, but it's happening at remote sites
and I don't have much data go on. Since these are larger companies I
don't expect they have vulnerable DNS servers.
My MX records are here:
http://www.dnsstuff.com/tools/lookup.ch?name=greenborder.com&type=MX
(Temporarily modified for troubleshooting purposes)
greenborder.com. MX IN 7200 USC1.MAILHOSTSXODE.NET. [Preference = 10]
greenborder.com. MX IN 7200 MAILGATE.greenborder.com. [Preference = 1]
greenborder.com. MX IN 7200 USP1.MAILHOSTSXODE.NET. [Preference = 5]
greenborder.com. NS IN 7200 NS31.WORLDNIC.com.
greenborder.com. NS IN 7200 NS32.WORLDNIC.com.
MAILGATE.greenborder.com. A IN 7200 66.123.15.52
Our DNS records are hosted by Network Solutions, so I called them
looking for help from one of their security experts. Of course
Customer
Support answers, and their guys are _absolutely clueless_ on how DNS
works. When I mention bounces due to MX record lookups they keep
referring me to 'the provider who hosts my email service', apparently
reading from a flowchart script, and speaking in a fake American
accent.
When I mention MX records are DNS records, they say 'you have exceeded
the ability of customer support, we need to forward this to
engineering'. I told them it was urgent, to escalate to security, and
asked for someone in their security team to call me. I'm not
expecting
much help from Network Solutions, I think all they do is produce
banner
ads and ask you to buy something each time you talk to them.
Any knowledgeable help would be appreciated.
Thanks in advance,
Bill Stout
GreenBorder
