Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Domaincontrol (GoDaddy) Nameservers DNS Poisoning SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Domaincontrol (GoDaddy) Nameservers DNS Poisoning

 

Some name servers hosted by Godaddy deliver somewhat odd results, similar from what you would expect to see as a result of a DNS hijacking attack. Any query to ns51.domaincontrol.com and ns52.domaincontrol.com returns the same IP address (68.178.232.99) and additional information making these two domain servers authoritative for .com or .org respectively.

I added an example "dig" output below.

Please note, that a DNS resolver should ignore the additional information, as it is "out of bailiwick". But we have a report that this actually caused a DNS server to be poisoned (still trying to figure out why). At this point, the poisoning doesn't look malicious. The IP address will lead you to the default GoDaddy "Parked Domain" page. It is possible that GoDaddy made itself "authoritative" for .com / .org to more easily redirect users to these parked pages.

domaincontrol.com is registered to "Wild West Domains, Inc.". The servers are hosted in GoDaddy IP space.

Example dig output:

dig @ns52.domaincontrol.com www.yahoo.com

; <<>> DiG 9.4.2-P1 <<>> @ns52.domaincontrol.com www.yahoo.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17600
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.yahoo.com.            IN    A

;; ANSWER SECTION:
www.yahoo.com.        3600    IN    A    68.178.232.99

;; AUTHORITY SECTION:
com.            3600    IN    NS    ns51.domaincontrol.com.
com.            3600    IN    NS    ns52.domaincontrol.com.

;; Query time: 50 msec
;; SERVER: 208.109.255.26#53(208.109.255.26)
;; WHEN: Wed Oct  8 11:26:49 2008
;; MSG SIZE  rcvd: 99


------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3698 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!