NXDOMAIN Hijacking – A huge problem caused solely for profit

7 01 2014

One of the contemporary issues that my area of IT is currently discussing is what DNS is being used for that it was not designed to do. Paul Vixie (2009) wrote an article entitled What DNS is not. This article summed up the key issues in the use of DNS to serve ads through NXDOMAIN responses. (pg.44)

NXDOMAIN, also known as RCODE=3 (Mockapetris, 1987, pg.27)where designed to show negative answers in DNS queries. Modern day DNS resolvers at times use these results in a way they were not intended.Instead of the typical “error page” that a web browser would usually report, results from OpenDNS name servers would return a NOERROR response and point the results to an advertising server. (Vixie, 2009, pg.44)

Let’s look at an example. Using a domain that I know that does not exist, I can do a query against the caching servers from Google at the IP address of 8.8.8.8 and the ones at OpenDNS at 208.67.222.222. These are shown below.

> typeitwrong.com

Server: 8.8.8.8

Address: 8.8.8.8#53

 

** server can’t find typeitwrong.com: NXDOMAIN

> server 208.67.222.222

Default server: 208.67.222.222

Address: 208.67.222.222#53

> typeitwrong.com

Server: 208.67.222.222

Address: 208.67.222.222#53

 

Non-authoritative answer:

Name: typeitwrong.com

Address: 67.215.65.132

While the caching servers at Google report the domain correctly as an NXDOMAIN, the nameservers at OpenDNS give the NOERROR response and send a non-authoritative answer to the IP address of 67.215.65.132. Performing a DNS query on that IP address we see that OpenDNS has routed the NOERROR response to one of their own servers.

> 67.215.65.132

Server: 127.0.1.1

Address: 127.0.1.1#53

 

Non-authoritative answer:

132.65.215.67.in-addr.arpa name = hit-nxdomain.opendns.com.

 

Authoritative answers can be found from:

>

Now, this happens on any DNS lookup that should report a NXDOMAIN when querying the OpenDNS servers. I guess the next question is, Why is this such a big deal? Well for Internet browsing traffic it really is not that bad, but for other programs that count on the correct information from a TCP/IP stream, the wrong informaiton can be cached locally causing grave errors in scripting.

This is just one of the many abuses that DNS is going through instead of using as it was originally designed.

Mockapetris, P. (1987, November). Domain names – Implementation and specification. Retrieved January 7, 2014, from tools.ietf.org/html/rfc1035

Vixie, P. (2009). What DNS is not. Communications of The ACM52(12), 43-47. doi:10.1145/1610252.1610269

Advertisements




AIX (Unix) DNS caching

16 11 2013

Yes, UNIX is capable of caching DNS records. Experienced a discussion with a Unix developer the other day stating that Unix did not cache DNS entries, it queried the Name servers every time. I quickly remembered my coworker pointing out something that he found about AIX and caching of DNS entries. Here is the link https://www.ibm.com/developerworks/community/blogs/cgaix/entry/aix_6_1_resolv_conf_and_netcd?lang=en