Miscellaneous Operating Systems/Hardware

amateur dns poisoning

The router does dns, normally everything is fine (except for the officially poisoned ones but that's a different subject.) There's an acl to deny any incoming connections to udp 43 except for my real dns servers. No problemo.

A while ago dropped the access-list to troubleshoot some stuff, in a short period of time I noticed a bunch of bogus entries in the dns cache :

Code: Select all

Host                      Port  Flags      Age Type   Address(es)

Www.facEbook.com          None  (temp, OK)  0   IP    59.24.3.173
Www.youTube.com           None  (temp, OK)  1   IP    59.24.3.173
TwitteR.com               NA    (temp, OK)  1   IP    59.24.3.173

It's not a problem cuz I cleared the phony hosts and turned the filter back on but curious about how this is done ? The phony ip's are from Korea ...
two girls for every boy ...
Hi Hamei.

Is it possible that the great firewall of China might be kicking in on your system and performing DNS hijacking?

I don't know if this is relevant to your situation but a duckduckgo search of the IP address (59.24.3.173) brought up a mention in the following article:
http://www.dit-inc.us/node/122
Andrew Hazelden, VFX Artist
Personal Blog: www.AndrewHazelden.com

:O2: SGI O2, 195 MHz R10K, 320 MB ram, AV1 Video i/o card, 36GB HD
Cache poisoning is bad news. What is your DNS server, bind? What version?
smit happens.

:Fuel: bigred , 900MHz R16K, 4GB RAM, V12 DCD, 6.5.30
:Indy: indy , 150MHz R4400SC, 256MB RAM, XL24, 6.5.10
:Indigo2IMP: purplehaze , R10000, Solid IMPACT
probably posted from Image bruce , Quad 2.5GHz PowerPC 970MP, 16GB RAM, Mac OS X 10.4.11
plus IBM POWER6 p520 * Apple Network Server 500 * HP C8000 * BeBox * Solbourne S3000 * Commodore 128 * many more...
hazelden wrote: Is it possible that the great firewall of China might be kicking in ...

The gfw is predictable : bad sites get dumped to a nonexistent ip, so they never show up. This isn't foolproof but it catches 98% of the traffic and that's all they care about. And it doesn't (generally) mess with your dns except for things like facebleep, so that's not a big issue.

hazelden wrote: the IP address (59.24.3.173) brought up a mention in the following article:
http://www.dit-inc.us/node/122

Laughing :P

Umm, did you think I would be able to go to a place advertising "a free and uncensored Internet" ? :P :P (Except everything you do now goes through their proxy ... no conflict of interest there, I guess ...)

At least I am pretty sure the US Navy is not searching through my computer for child pornography ... six of one, half dozen of the other. Mom, better prepare that cave in the woods, I'ma comin' ...

ClassicHasClass wrote: Cache poisoning is bad news. What is your DNS server, bind? What version?

It's Cisco IOS 12.3.something.

It's not a problem since the acl's seem to stop it successfully. The bad ip's could come in through bad website requests - I tried to control the Assistant's browsing once, got a terrible kink in my back from sleeping in the dog bed. But the odd thing is, facebook, youtube, and tweeter are all dumped to ground here with a

Code: Select all

ip host facesheet.crap 127.0.0.1
ip host tweeter.garbage 127.0.0.1

and so on. So I'm curious how people manage to poison the dns by adding www_fAcESheEt.com [the underscore is to keep php from turning that into a link] to existing entries ? DNS is case sensitive ? It should have just found the existing ip instead of adding a new one ?

I'm also kind of curious how you'd add a phony entry in general. The router is set up to look upstream to certain designated servers to get ip's, not any old site on the innernet.

An interesting (simple) example :

http://ketil.froyn.name/poison.html

not what's going on here but worth a quick runthrough maybe ?
two girls for every boy ...
Last I looked, and it wasn't too long ago, there's nothing BIND can do to stop a classic man-in-the-middle DNS hijack. And what is the GFW if not a classic man-in-the-middle? Doesn't every packet headed out of or into the country go through the GFW? They can bork with them any way they like... :cry:
Project:
Temporarily lost at sea...
Plan:
World domination! Or something...
You can play with this sort of thing using Ettercap, I believe. As a young lad, I used that program to do ARP poisoning on my dormitory network, in both directions, so everything going to or from the gateway was routed through my own machine. Then I could turn on or off services by blocking certain ports, or inspect any network traffic. I would try blocking off ports occasionally, and then I would hear complaints from down the hall that AIM was blocked, or email was blocked. It was amazing how simple it was to reroute all this traffic, although I definitely don't remember the details of exactly how to use this program.

For ARP poisoning, it works by basically broadcasting ARP information. Like "Hey, everyone, 192.168.1.15 is at MAC address such-and-such." For DNS, it the MITM would simply rewrite the DNS responses, I believe. These are pretty simple protocols, so they are probably easy to fake and manipulate for the GFW.
Debian GNU/Linux on a ThinkPad, running a simple setup with FVWM.
vishnu wrote: Last I looked, and it wasn't too long ago, there's nothing BIND can do to stop a classic man-in-the-middle DNS hijack. And what is the GFW if not a classic man-in-the-middle? Doesn't every packet headed out of or into the country go through the GFW? They can bork with them any way they like... :cry:

Ja, I'm pretty sure now that this is all coming from Above. When I saw FacEbOOk.com and w ww.TwItTer.com with an ip in Korea, I thought someone else was managing to mess us up. But no, most likely just good ol' China Telecom.

Of course, one nasty side-effect of poisoned dns is that it spreads everywhere, so you really have no idea where it's coming from. It's kind of a pita.

Have an idea to get around them but not telling what it is :D
two girls for every boy ...
hamei wrote: Have an idea to get around them but not telling what it is :D
Satellite Inernet?! :shock:
Project:
Temporarily lost at sea...
Plan:
World domination! Or something...
smit happens.

:Fuel: bigred , 900MHz R16K, 4GB RAM, V12 DCD, 6.5.30
:Indy: indy , 150MHz R4400SC, 256MB RAM, XL24, 6.5.10
:Indigo2IMP: purplehaze , R10000, Solid IMPACT
probably posted from Image bruce , Quad 2.5GHz PowerPC 970MP, 16GB RAM, Mac OS X 10.4.11
plus IBM POWER6 p520 * Apple Network Server 500 * HP C8000 * BeBox * Solbourne S3000 * Commodore 128 * many more...
ClassicHasClass wrote: Or, maybe this: http://www.theregister.co.uk/2014/09/15 ... ing_world/

Mining Investorite... :lol:
Project:
Temporarily lost at sea...
Plan:
World domination! Or something...
ClassicHasClass wrote: Or, maybe this: http://www.theregister.co.uk/2014/09/15 ... ing_world/

They already scan all the sms ... had a friend get his shut off for accidentally using a forbidden word. Doubtless the NSA does the same thing, except instead of shutting you off they disappear you to gitmo :shock:

What's kind of interesting and kind of aggravating is that all these bogus ip's keep showing up for places I should never go. For instance, tweeter is blocked off seven ways from Sunday. The proxy blocks it, the router grounds it to 127.0.0.1, no tweeter requests should be going anywhere. But if I look in the dns cache

Code: Select all

sh hosts
...
twitter.com               None  (perm, OK) 14   IP    127.0.0.1
www.twitter.com
...
platform.twitter.com      None  (temp, OK)  3   IP    59.24.3.173

I don't wanna go theah. Eleanoah doesn't wanna go theah. I sure as hell didn't put that there. Yet it keeps appearing in the dns. Now I kill the little bastard ...

Code: Select all

conf t
ip host platform twitter.com  127.0.0.1
<ctrl z>
copy run start
exit

then in another day or two there will be
bogus ip wrote: umgawabwana.twitter.com IP 59.24.3.173


Is there really an ac.duckduckgo.com located at 46.51.216.186 ? This claims to be Amazon Cloud registered through Ireland ?
whois wrote: % Information related to '46.51.216.0 - 46.51.223.255'

% Abuse contact for '46.51.216.0 - 46.51.223.255' is '[email protected] '

inetnum: 46.51.216.0 - 46.51.223.255
netname: AMAZON-EU-CF
descr: Amazon AWS Services - Cloudfront
country: IE
admin-c: ADSI2-RIPE
tech-c: ADSI2-RIPE
status: ASSIGNED PA
mnt-by: MNT-ADSI
source: RIPE # Filtered

role: Amazon Data Services Ireland Technical Role Account
address: Amazon Data Services Ireland
address: Digital Depot
address: Thomas Street
address: Dublin 8
address: Ireland
mnt-by: MNT-ADSI
admin-c: MA11338-RIPE
tech-c: AA25560-RIPE
nic-hdl: ADSI2-RIPE
source: RIPE # Filtered

This is a puzzle and a half, to separate the real ip's from the fifth column liars ... and I'm not sure how much of this is websites lying about who and where they really are, either. Or hidden schmutz from the less scrupulous sites.

I give it five years before the web implodes under the weight of all this advertising crap.
two girls for every boy ...
Makes you wonder how many so-called national security services have backdoors provided graciously and at no extra charge by Cisco, all in the interest of Doing the Right Thing and Not Being Evil... :shock:
Project:
Temporarily lost at sea...
Plan:
World domination! Or something...
vishnu wrote: Makes you wonder how many so-called national security services have backdoors provided graciously and at no extra charge by Cisco, all in the interest of Doing the Right Thing and Not Being Evil... :shock:

Was just talking to someone (in the US) about a possible method around this situation, he said, "Oh, but the NSA is sneakier. They don't outright block you, they inject fake 404 pages." And then he went on to describe how he came to that conclusion ...

2 + 2 = 5 ! really, it does, it does !
two girls for every boy ...
Hmm, to me this smells like someone is exploiting a bug in IOS' domain lookup. Remember those

Code: Select all

www.microsoft.com.is.a.turd.com
?

Edit: changed it so your browser's wont preemptively load that site if it actually exists.
:Octane: halo , oct ane Image knightrider , d i g i t a l AlphaPC164, pond , soekris net6501, misc cool stuff in a rack
N.B.: I tend to talk out of my ass. Do not take it too seriously.
duck wrote: Hmm, to me this smells like someone is exploiting a bug in IOS' domain lookup. Remember those

Code: Select all

www.microsoft.com.is.a.turd.com
?

Edit: changed it so your browser's wont preemptively load that site if it actually exists.

It redirects to turd.com, "buy this domain !" :P

At this point I'm thinking it's probably China Telecom, especially since the domains are tweeter and facebook. Not sure what is up with duckduck, whether that is real or a fraud. Also, there is no phony tweeter or facebleep at the Korean ip to steal your passwords, so what would be the point, except to keep you from going to the real thing ?

The "how" of it is still a mystery tho. I've searched around for the exact means of poisoning a dns cache but there is almost nothing. Plenty of "Oooh ! Oooh ! The bad people can hack into your computer ! Be afraid ! Be very afraid !" but no description of the mechanics of it. Without knowing exactly how it's done, pretty hard to check what is happening. What's even stranger is, those are places we don't go.

China Telecom is easy - they just intercept all the dns and send back bad ip's for places they don't like. How they would add domains I didn't ask for is the mystery ... although with web browsers these days, who knows what you are asking for ?

DNS is a pretty easy subject when it's done according to the rules. When you know you are being poisoned it gets tricker :shock:
two girls for every boy ...