OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Full-disclosure] OpenDNS is acting improperly !!!

From: Jamie Riden (jamie.ridengmail.com)
Date: Sun Aug 01 2010 - 17:53:00 CDT


Yes, I believe anything which should be an NXDOMAIN from openDNS will
get returned as an IP address of their web search service page.

I don't particularly like it, but then I've always been a non-paying
user of openDNS when I have required them, so I don't like to moan too
loudly. It's arguably a good thing when they subvert the actual DNS
responses for known malware sites, so the whole service may not be the
one for DNS purists.

I don't think it's quite the same as when Verisign did it, because
we've all got a choice whether to use openDNS or not. And I suspect
most of us use it free. So, as you say, choose another provider or use
the BIND wildcard/fake NXDOMAIN patch.

cheers,
 Jamie

On 31 July 2010 18:03, Paulo Cesar Breim (PCB) <paulobreim.com.br> wrote:
> NSLookup has the same problem. Always return opendns IP.
> paulo
>
>
> On 31/07/2010, at 04:05, Jardel Weyrich wrote:
>
> NXDOMAIN manipulation is an old concern. I believe it's being redirected for
> a long time now, but they allow registered users to opt-out, afaik. And
> there are many ISPs practicing this.
> Additionally, if they're only manipulating A and AAAA records for NXDOMAIN
> responses, there should be no problem for an application that relies on
> existing domains. SERVFAIL must NOT be manipulated though.
> Why are you using ping? Use nslookup and/or dig.
> Here's a patch for BIND that allows you to BLACKLIST the IP addresses of the
> fake servers - http://sam.zoy.org/writings/internet/verisign/
> And here's a draft on this matter
> - http://tools.ietf.org/html/draft-livingood-dns-redirect-00
> Concluding, I'm not defending their approach - I don't like it too ;-)
> --
> jardel
> On Fri, Jul 30, 2010 at 7:23 PM, Paulo Cesar Breim <paulobreim.com.br>
> wrote:
>>
>> Dear everyone,
>>
>>
>> People who have changed their DNS Server to use the popular OpenDNS
>> (208.67.222.222; 208.67.220.220) are victims of a dangerous decision taken
>> by OpenDNS.
>>
>> When a user tries to access a non-existing host, OpenDNS manipulates the
>> result and provides the user with its own IP address. For example:
>>
>> Let us try to find the following server: “microsoft.apple.com”
>> If you are using OpenDNS and ping the above server this is what you get:
>>
>> ===================
>> PING microsoft.apple.com (67.215.65.132): 56data bytes
>> 64 bytes from 67.215.65.132: icmp_seq=0 ttl=49 time=192.743 ms
>> 64 bytes from 67.215.65.132: icmp_seq=1 ttl=49 time=194.997 ms
>> 64 bytes from 67.215.65.132: icmp_seq=2 ttl=49 time=200.954 ms
>> ^C
>> --- microsoft.apple.com ping statistics ---
>> 3 packets transmitted, 3 packets received, 0.0% packet loss
>> round-trip min/avg/max/stddev = 192.743/196.231/200.954/3.464 ms
>> ===================
>>
>> OpenDNS is telling the user that the server “microsoft.apple.com” not only
>> exists but its IP address is 67.215.65.132 !!!
>> ..and who is this IP?  it is OPENDNS-NET-3.
>>
>> If, instead, you use Google’s DNS and ping the above server, this is what
>> you get:
>>
>> ===================
>> PCB-2:~ paulo$ ping microsoft.apple.com
>> ping: cannot resolve microsoft.apple.com: Unknown host
>> PCB-2:~ paulo$
>> ===================
>>
>> Which is the most adequate reply from the DNS server.
>>
>> So my suggestion is that you should select and use a TRUE DNS Server.
>>
>> Paulo Cesar Breim
>>
>> People who have changed their DNS Server to use the popular OpenDNS
>> (208.67.222.222; 208.67.220.220) are victims of a dangerous decision taken
>> by OpenDNS.
>>
>> When a user tries to access a non-existing host, OpenDNS manipulates the
>> result and provides the user with its own IP address. For example:
>>
>> Let us try to find the following server: “microsoft.apple.com”
>> If you are using OpenDNS and ping the above server this is what you get:
>>
>> ===================
>> PING microsoft.apple.com (67.215.65.132): 56data bytes
>> 64 bytes from 67.215.65.132: icmp_seq=0 ttl=49 time=192.743 ms
>> 64 bytes from 67.215.65.132: icmp_seq=1 ttl=49 time=194.997 ms
>> 64 bytes from 67.215.65.132: icmp_seq=2 ttl=49 time=200.954 ms
>> ^C
>> --- microsoft.apple.com ping statistics ---
>> 3 packets transmitted, 3 packets received, 0.0% packet loss
>> round-trip min/avg/max/stddev = 192.743/196.231/200.954/3.464 ms
>> ===================
>>
>> OpenDNS is telling the user that the server “microsoft.apple.com” not only
>> exists but its IP address is 67.215.65.132 !!!
>> ..and who is this IP?  it is OPENDNS-NET-3.
>>
>> If, instead, you use Google’s DNS and ping the above server, this is what
>> you get:
>>
>> ===================
>> PCB-2:~ paulo$ ping microsoft.apple.com
>> ping: cannot resolve microsoft.apple.com: Unknown host
>> PCB-2:~ paulo$
>> ===================
>>
>> Which is the most adequate reply from the DNS server.
>>
>> So my suggestion is that you should select and use a TRUE DNS Server.
>>
>> Paulo Cesar Breim
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

--
Jamie Riden / jamiehoneynet.org / jamie.ridengmail.com
http://uk.linkedin.com/in/jamieriden

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/