Last Updated: 2008-10-08 18:01:29 UTC
by Johannes Ullrich (Version: 2)
Update: The DNS servers in question no longer send the fake authority records. Thanks GoDaddy for fixing this so fast.
Some name servers hosted by Godaddy deliver somewhat odd results, similar from what you would expect to see as a result of a DNS hijacking attack. Any query to ns51.domaincontrol.com and ns52.domaincontrol.com returns the same IP address (18.104.22.168) and additional information making these two domain servers authoritative for .com or .org respectively.
I added an example "dig" output below.
Please note, that a DNS resolver should ignore the additional information, as it is "out of bailiwick". But we have a report that this actually caused a DNS server to be poisoned (still trying to figure out why). At this point, the poisoning doesn't look malicious. The IP address will lead you to the default GoDaddy "Parked Domain" page. It is possible that GoDaddy made itself "authoritative" for .com / .org to more easily redirect users to these parked pages.
domaincontrol.com is registered to "Wild West Domains, Inc.". The servers are hosted in GoDaddy IP space.
Example dig output:
dig @ns52.domaincontrol.com www.yahoo.com
; <<>> DiG 9.4.2-P1 <<>> @ns52.domaincontrol.com www.yahoo.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17600
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.yahoo.com. IN A
;; ANSWER SECTION:
www.yahoo.com. 3600 IN A 22.214.171.124
;; AUTHORITY SECTION:
com. 3600 IN NS ns51.domaincontrol.com.
com. 3600 IN NS ns52.domaincontrol.com.
;; Query time: 50 msec
;; SERVER: 126.96.36.199#53(188.8.131.52)
;; WHEN: Wed Oct 8 11:26:49 2008
;; MSG SIZE rcvd: 99
Johannes B. Ullrich, Ph.D.
SANS Technology Institute