Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identity Theft Hits the Root Name Servers

Posted by CmdrTaco on from the i-don't-think-i-am-who-you-think-i-am dept.

aos101 writes "The Renesys blog has an interesting story about networks advertising the old address space of the L root name server after ICANN changed the IP address last November. These networks were also running root name servers on the old IP address of the L root name server up until last week, so any DNS servers still using the old IP address might have been getting their answers from these bogus name servers. A very cursory examination by Renesys of one of these bogus servers found that it appeared to be providing correct responses, which might be why no one noticed the problem. As Renesys points out, the volume of traffic to a root server is staggering, so the people running these bogus root servers must have had a reason. What did they get out of it?"

4 of 131 comments (clear)

  1. Re:Extremely vague article by Anonymous Coward · · Score: 5, Informative

    nonsense. the article is very clear: here's what happened:

    icann hosted L-root on ip addresses they didn't have an exclusive right to use.

    they decided to stop doing that and moved L-root to somewhere else.

    shortly thereafter someone else decided to operate a name server on the very same IP addresses.

    that's *what* happened. perhaps you meant to say that the article doesn't say *why* it happened. that would be a fair criticism.

  2. Re:Good Samaritans? by locofungus · · Score: 5, Informative

    From the link in the FA:

    http://blog.icann.org/?p=227

    It is expected that the old address will continue to work for at least six months after the transition, but will ultimately be retired from service.

    1st November 2007 -> 1st May 2008 is 6 months. So they left it a few days over 6 months ...

    Tim.

    --
    God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
  3. Make sure you are up to date! by SaDan · · Score: 4, Informative

    You can get the your root server hints files from:

    ftp://ftp.internic.net/domain/named.cache

    Slashdot's junk filter won't allow a cut and paste of the file's contents into a post.

  4. Re:Harvesting NXDOMAIN hits by mpeg4codec · · Score: 4, Informative

    I honestly doubt that typo-squatters care about the millions of requests for com, net, org, and all the other TLDs and ccTLDs, which is all you'll get if you have control of a root server. If someone makes a typo on some com domain, it won't make it any further than com's servers, so having control of the root is rather moot unless someone also makes a typo in the TLD.

    On the other hand, the person in control of the root could give bogus records for the name servers for something like com. This is unlikely to be a major problems since the TTL on all the records served by the root is 120 days. Most people are going to be querying a caching name server of some sort, so it's statistically unlikely to affect much of the population before it is detected and dealt with.

    Not to plug my own work too much, but as a part of my research, I work with a team that monitors DNSSEC deployment. This is something we would in theory be able to see from our distributed polling framework, and our datasets going back to 2005 don't show anything like a rogue TLD server being published. Kind of unfortunate in a way, being that DNS isn't exactly the most interesting research topic at face value.