Is this a DNS Security hole??

Discussion in 'Computer Security' started by Ivan Yonge, Apr 30, 2004.

  1. Ivan Yonge

    Ivan Yonge Guest

    First of all, I am not an expert in DNS... that's why I am here to ask for
    help. don't laugh at me if I am wrong.

    I have tested this with my domain, this seems like a security hole to me
    ...My domain is registered with Register.com

    1. Go to Register.com, login to my account (say "mycompany.com", doesn't
    matter)
    2. Add a new DNS entry
    3. They will ask for HOST NAME and IP ADDRESS (they used to ask HOST name
    only, not IP).
    4. type host="testing.victim.com" (the host of the victim)
    5. type ip = "24.102.80.12" (the IP address I want to point to, I just make
    it up)
    6. submit
    7. After 24 hours, all the world's DNS server will resolve
    testing.victim.com as 24.102.80.12. If you PING testing.victim.com from any
    server outside the world say network-tools.com it gives you the
    24.102.80.12

    This is not good, now "testing.victim.com" is tied to the IP address, it
    doesn't even try to resolve it from "victim.com" 's DNS server..... why is
    this happening?? I have used http://network-tools.com/nslook/Default.asp
    to verify my result..

    If this is true, anyone can hijack other people's domain name using DNS and
    point to his IP address? this is scary..

    Help..
     
    Ivan Yonge, Apr 30, 2004
    #1
    1. Advertising

  2. Ivan Yonge

    Bill Unger Guest

    It's not scary at all, it is how the Internet works.

    Although those DNS changes propogate to thousands of downstream DNS servers
    throughout the world, only the "authoritative name server" can actually have
    changes made to the specific DNS records. Google "authoritative name
    server" to get more info on it.

    The bottom line is that although other name servers have copies of the
    records ( a, mx, etc ), only one can actually alter the values...

    "Ivan Yonge" <> wrote in message
    news:nnwkc.320455$...
    > First of all, I am not an expert in DNS... that's why I am here to ask

    for
    > help. don't laugh at me if I am wrong.
    >
    > I have tested this with my domain, this seems like a security hole to me
    > ..My domain is registered with Register.com
    >
    > 1. Go to Register.com, login to my account (say "mycompany.com", doesn't
    > matter)
    > 2. Add a new DNS entry
    > 3. They will ask for HOST NAME and IP ADDRESS (they used to ask HOST name
    > only, not IP).
    > 4. type host="testing.victim.com" (the host of the victim)
    > 5. type ip = "24.102.80.12" (the IP address I want to point to, I just

    make
    > it up)
    > 6. submit
    > 7. After 24 hours, all the world's DNS server will resolve
    > testing.victim.com as 24.102.80.12. If you PING testing.victim.com from

    any
    > server outside the world say network-tools.com it gives you the
    > 24.102.80.12
    >
    > This is not good, now "testing.victim.com" is tied to the IP address,

    it
    > doesn't even try to resolve it from "victim.com" 's DNS server..... why

    is
    > this happening?? I have used http://network-tools.com/nslook/Default.asp
    > to verify my result..
    >
    > If this is true, anyone can hijack other people's domain name using DNS

    and
    > point to his IP address? this is scary..
    >
    > Help..
    >
    >
    >
    >
    >
     
    Bill Unger, Apr 30, 2004
    #2
    1. Advertising

  3. Ivan Yonge

    Chris Guest

    "Ivan Yonge" <> wrote in message
    news:nnwkc.320455$...
    > First of all, I am not an expert in DNS... that's why I am here to ask

    for
    > help. don't laugh at me if I am wrong.
    >
    > I have tested this with my domain, this seems like a security hole to me
    > ..My domain is registered with Register.com
    >
    > 1. Go to Register.com, login to my account (say "mycompany.com", doesn't
    > matter)
    > 2. Add a new DNS entry
    > 3. They will ask for HOST NAME and IP ADDRESS (they used to ask HOST name
    > only, not IP).
    > 4. type host="testing.victim.com" (the host of the victim)
    > 5. type ip = "24.102.80.12" (the IP address I want to point to, I just

    make
    > it up)
    > 6. submit
    > 7. After 24 hours, all the world's DNS server will resolve
    > testing.victim.com as 24.102.80.12. If you PING testing.victim.com from

    any
    > server outside the world say network-tools.com it gives you the
    > 24.102.80.12
    >
    > This is not good, now "testing.victim.com" is tied to the IP address,

    it
    > doesn't even try to resolve it from "victim.com" 's DNS server..... why

    is
    > this happening?? I have used http://network-tools.com/nslook/Default.asp
    > to verify my result..
    >
    > If this is true, anyone can hijack other people's domain name using DNS

    and
    > point to his IP address? this is scary..
    >
    > Help..
    >


    You cannot edit other peoples domains/zone files. If you logged on to your
    domain management thingy and you domain is mydomain.com, and you create an A
    record, say testing.victim.com (with an IP address of course) then all you
    have created is testing.victim.com.yourdomain.com. What ever hostname you
    define an A record for, the origin of the zone is appended.

    yourdomain.com IN SOA ns1.yourdomain.com hosty.yourdomain.com (
    <info for slaves
    etc...> )

    testing.victim.com IN A 24.102.80.12

    The result of this is just testing.victim.com.yourdomain.com IN A
    24.102.80.12

    Anyone querying the real domain, victim.com WILL NOT query your name server
    for that information. Your zone company.com cannot define any records for
    another domain, otherwise we would all be able to point www.microsoft.com to
    another server!

    Chris.
     
    Chris, May 13, 2004
    #3
  4. In article <>, "Chris" <chris@nospam>
    wrote:
    > You cannot edit other peoples domains/zone files. If you logged on to your
    > domain management thingy and you domain is mydomain.com, and you create an A
    > record, say testing.victim.com (with an IP address of course) then all you
    > have created is testing.victim.com.yourdomain.com. What ever hostname you
    > define an A record for, the origin of the zone is appended.


    You seem to have totally missed the point of his complaint, as well as
    the entire thread that ensued after it? He's not dealing with a domain
    management tool, he's dealing with a domain registrar. The entry for
    testing.victim.com that he created was a new nameserver host, so the
    registrar entered it as a glue record in the .com domain.

    If you're going to respond to 2-week-old messages, don't you think you
    should read the rest of the thread first?

    --
    Barry Margolin,
    Arlington, MA
     
    Barry Margolin, May 13, 2004
    #4
  5. Ivan Yonge

    Chris Guest


    > You seem to have totally missed the point of his complaint, as well as
    > the entire thread that ensued after it? He's not dealing with a domain
    > management tool, he's dealing with a domain registrar. The entry for
    > testing.victim.com that he created was a new nameserver host, so the
    > registrar entered it as a glue record in the .com domain.
    >
    > If you're going to respond to 2-week-old messages, don't you think you
    > should read the rest of the thread first?
    >
    > --
    > Barry Margolin,
    > Arlington, MA


    I just subscribed to comp.protocols.dns (before I looked at
    comp.protocols.dns.bind) and his question was the only item that appeared in
    this thread. He cross posted to two news groups and then posted the same
    question to a third group ... which I hadn't seen.

    Jeez!
     
    Chris, May 13, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Z
    Replies:
    1
    Views:
    462
    Splibbilla
    Jul 23, 2005
  2. AM

    Is it a security hole?

    AM, Jan 5, 2005, in forum: Cisco
    Replies:
    5
    Views:
    503
  3. Alex Vinokur
    Replies:
    23
    Views:
    975
    Kenneth E. Spress
    Jul 15, 2003
  4. Dr. Harvie Wahl-Banghor

    G-mail Security Hole

    Dr. Harvie Wahl-Banghor, Nov 1, 2004, in forum: Computer Support
    Replies:
    7
    Views:
    450
    G. Morgan
    Nov 2, 2004
  5. mchiper
    Replies:
    0
    Views:
    429
    mchiper
    Sep 12, 2003
Loading...

Share This Page