Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Domaincontrol (GoDaddy) Nameservers DNS Poisoning InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Domaincontrol (GoDaddy) Nameservers DNS Poisoning

Published: 2008-10-08
Last Updated: 2008-10-08 18:01:29 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)

 Update: The DNS servers in question no longer send the fake authority records. Thanks GoDaddy for fixing this so fast.


Some name servers hosted by Godaddy deliver somewhat odd results, similar from what you would expect to see as a result of a DNS hijacking attack. Any query to and returns the same IP address ( and additional information making these two domain servers authoritative for .com or .org respectively.

I added an example "dig" output below.

Please note, that a DNS resolver should ignore the additional information, as it is "out of bailiwick". But we have a report that this actually caused a DNS server to be poisoned (still trying to figure out why). At this point, the poisoning doesn't look malicious. The IP address will lead you to the default GoDaddy "Parked Domain" page. It is possible that GoDaddy made itself "authoritative" for .com / .org to more easily redirect users to these parked pages. is registered to "Wild West Domains, Inc.". The servers are hosted in GoDaddy IP space.

Example dig output:


; <<>> DiG 9.4.2-P1 <<>>
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17600
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;            IN    A

;; ANSWER SECTION:        3600    IN    A

com.            3600    IN    NS
com.            3600    IN    NS

;; Query time: 50 msec
;; WHEN: Wed Oct  8 11:26:49 2008
;; MSG SIZE  rcvd: 99

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: dns godaddy hijacking
0 comment(s)
Diary Archives