| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 1 Aug 2010 23:53:00 +0100 From: Jamie Riden <jamie.riden@...il.com> To: "Paulo Cesar Breim (PCB)" <paulo@...im.com.br> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: OpenDNS is acting improperly !!! Yes, I believe anything which should be an NXDOMAIN from openDNS will get returned as an IP address of their web search service page. I don't particularly like it, but then I've always been a non-paying user of openDNS when I have required them, so I don't like to moan too loudly. It's arguably a good thing when they subvert the actual DNS responses for known malware sites, so the whole service may not be the one for DNS purists. I don't think it's quite the same as when Verisign did it, because we've all got a choice whether to use openDNS or not. And I suspect most of us use it free. So, as you say, choose another provider or use the BIND wildcard/fake NXDOMAIN patch. cheers, Jamie On 31 July 2010 18:03, Paulo Cesar Breim (PCB) <paulo@...im.com.br> wrote: > NSLookup has the same problem. Always return opendns IP. > paulo > > > On 31/07/2010, at 04:05, Jardel Weyrich wrote: > > NXDOMAIN manipulation is an old concern. I believe it's being redirected for > a long time now, but they allow registered users to opt-out, afaik. And > there are many ISPs practicing this. > Additionally, if they're only manipulating A and AAAA records for NXDOMAIN > responses, there should be no problem for an application that relies on > existing domains. SERVFAIL must NOT be manipulated though. > Why are you using ping? Use nslookup and/or dig. > Here's a patch for BIND that allows you to BLACKLIST the IP addresses of the > fake servers - http://sam.zoy.org/writings/internet/verisign/ > And here's a draft on this matter > - http://tools.ietf.org/html/draft-livingood-dns-redirect-00 > Concluding, I'm not defending their approach - I don't like it too ;-) > -- > jardel > On Fri, Jul 30, 2010 at 7:23 PM, Paulo Cesar Breim <paulo@...im.com.br> > wrote: >> >> Dear everyone, >> >> >> People who have changed their DNS Server to use the popular OpenDNS >> (208.67.222.222; 208.67.220.220) are victims of a dangerous decision taken >> by OpenDNS. >> >> When a user tries to access a non-existing host, OpenDNS manipulates the >> result and provides the user with its own IP address. For example: >> >> Let us try to find the following server: “microsoft.apple.com” >> If you are using OpenDNS and ping the above server this is what you get: >> >> =================== >> PING microsoft.apple.com (67.215.65.132): 56data bytes >> 64 bytes from 67.215.65.132: icmp_seq=0 ttl=49 time=192.743 ms >> 64 bytes from 67.215.65.132: icmp_seq=1 ttl=49 time=194.997 ms >> 64 bytes from 67.215.65.132: icmp_seq=2 ttl=49 time=200.954 ms >> ^C >> --- microsoft.apple.com ping statistics --- >> 3 packets transmitted, 3 packets received, 0.0% packet loss >> round-trip min/avg/max/stddev = 192.743/196.231/200.954/3.464 ms >> =================== >> >> OpenDNS is telling the user that the server “microsoft.apple.com” not only >> exists but its IP address is 67.215.65.132 !!! >> ..and who is this IP? it is OPENDNS-NET-3. >> >> If, instead, you use Google’s DNS and ping the above server, this is what >> you get: >> >> =================== >> PCB-2:~ paulo$ ping microsoft.apple.com >> ping: cannot resolve microsoft.apple.com: Unknown host >> PCB-2:~ paulo$ >> =================== >> >> Which is the most adequate reply from the DNS server. >> >> So my suggestion is that you should select and use a TRUE DNS Server. >> >> Paulo Cesar Breim >> >> People who have changed their DNS Server to use the popular OpenDNS >> (208.67.222.222; 208.67.220.220) are victims of a dangerous decision taken >> by OpenDNS. >> >> When a user tries to access a non-existing host, OpenDNS manipulates the >> result and provides the user with its own IP address. For example: >> >> Let us try to find the following server: “microsoft.apple.com” >> If you are using OpenDNS and ping the above server this is what you get: >> >> =================== >> PING microsoft.apple.com (67.215.65.132): 56data bytes >> 64 bytes from 67.215.65.132: icmp_seq=0 ttl=49 time=192.743 ms >> 64 bytes from 67.215.65.132: icmp_seq=1 ttl=49 time=194.997 ms >> 64 bytes from 67.215.65.132: icmp_seq=2 ttl=49 time=200.954 ms >> ^C >> --- microsoft.apple.com ping statistics --- >> 3 packets transmitted, 3 packets received, 0.0% packet loss >> round-trip min/avg/max/stddev = 192.743/196.231/200.954/3.464 ms >> =================== >> >> OpenDNS is telling the user that the server “microsoft.apple.com” not only >> exists but its IP address is 67.215.65.132 !!! >> ..and who is this IP? it is OPENDNS-NET-3. >> >> If, instead, you use Google’s DNS and ping the above server, this is what >> you get: >> >> =================== >> PCB-2:~ paulo$ ping microsoft.apple.com >> ping: cannot resolve microsoft.apple.com: Unknown host >> PCB-2:~ paulo$ >> =================== >> >> Which is the most adequate reply from the DNS server. >> >> So my suggestion is that you should select and use a TRUE DNS Server. >> >> Paulo Cesar Breim >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Jamie Riden / jamie@...eynet.org / jamie.riden@...il.com http://uk.linkedin.com/in/jamieriden _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists