Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Domaincontrol (GoDaddy) Nameservers DNS Poisoning - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Domaincontrol (GoDaddy) Nameservers DNS Poisoning


Some name servers hosted by Godaddy deliver somewhat odd results, similar from what you would expect to see as a result of a DNS hijacking attack. Any query to and returns the same IP address ( and additional information making these two domain servers authoritative for .com or .org respectively.

I added an example "dig" output below.

Please note, that a DNS resolver should ignore the additional information, as it is "out of bailiwick". But we have a report that this actually caused a DNS server to be poisoned (still trying to figure out why). At this point, the poisoning doesn't look malicious. The IP address will lead you to the default GoDaddy "Parked Domain" page. It is possible that GoDaddy made itself "authoritative" for .com / .org to more easily redirect users to these parked pages. is registered to "Wild West Domains, Inc.". The servers are hosted in GoDaddy IP space.

Example dig output:


; <<>> DiG 9.4.2-P1 <<>>
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17600
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;            IN    A

;; ANSWER SECTION:        3600    IN    A

com.            3600    IN    NS
com.            3600    IN    NS

;; Query time: 50 msec
;; WHEN: Wed Oct  8 11:26:49 2008
;; MSG SIZE  rcvd: 99

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4511 Posts
ISC Handler
Oct 8th 2008

Sign Up for Free or Log In to start participating in the conversation!