RE: Verisign DNS "attack"

  • From: "Eric Poole" <EPoole@xxxxxxxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 18 Sep 2003 14:11:45 -0700

This is interesting.  I have several personal sites that stopped working
today, www.hauntmasters.com being the most important.  West Coast people
I've spoken with can't connect but they can ping and tracert.  East
Coast seem ok.  Hmmmmm.....

_______________________________________________
Eric Poole
IS Security Analyst
Community Medical Centers <http://communitymedical.org/> 
1140 "T" Street, Fresno, California  93721
559-459-6784 (phone)  559-459-2045 (fax)


                -----Original Message-----
                From: "Frederic Giroux" <fgiroux@xxxxxxxxxxxxxx>@CHCC 
                Sent: Thursday, September 18, 2003 12:02 PM
                To: [ISAserver.org Discussion List]
                Subject: [isalist] Verisign DNS "attack"

                http://www.ISAserver.org
                Hello All!
                 
                    For those of you that do not  know yet, Verisign
made changes to the structure of the .com and .net DNS root  structure
(see article below).  At first, I was fuming about it but them I
realized that we could take profit of the situation by redirecting
anything that  goes to sitefinder.verisign.com to of web page of our
choice.  Since you  know for a fact that the domain name does not exist,
you simply build a page  stating that instead of having a "host unknown"
that could just mean that their  domain name server is unavailable.  If
sitefinder shows, it is because the  name is not registered.
                 
                    Fred
                 
                 
                All your Web typos belong to us
                 
                By John  Leyden << File:
mailto:john.leyden@xxxxxxxxxxxxxxxxx >> 
                 
                Posted: 16/09/2003 at 11:28 GMT
                Network administrators are fuming about changes made by
domain registrar Verisign to the DNS system yesterday that they say
violate  longstanding Internet standards. 
                Verisign yesterday added wildcard DNS  records to all
.com and .net domains - redirecting surfers who get lost on the  Net to
a search page, called Site Finder, run by the company. Those who type in
non-existent addresses will also be served up Site Finder << File:
http://sitefinder.verisign.com/ >> , instead of an  error message. 
                There's widespread concern the alterations will
frustrate  commonly used anti-spam techniques. Mail packages often check
to see whether the  domain an email is coming from is valid but with the
changes all domains have  suddenly become valid, frustrating the
technique. 
                The radical, and  largely unheralded, changes were made
yesterday and followed up by a post << File:
http://www.merit.edu/mail.archives/nanog/msg13603.html >>  by Verisign
to the NANOG mailing list. This did little  beyond stating that Verisign
has added a "wildcard A record to the .com and .net  zones" and pointing
users to a white paper << File:
http://www.verisign.com/resources/gd/sitefinder/implementation.pdf >>
that Verisign has prepared. 
                So, Verisign has  turned domain name typos into an
advertising opportunity. Critics believe this  is an abuse of Verisign's
role, via acquired company Network Solutions, in  administering the .com
and .net registry DNS servers. 
                And then there are  the practical issues: sysadmins are
fuming at the knock-on effects of the  changes. 
                The concerns raised by Reg reader Pete Farrow, who
believes the move will lead to more spam, are typical. 
                "This means that  the basic 'sender domain does not
resolve' check in sendmail and many other mail  server software is now
obsolete because any .net and .com now  resolves. This will open the
internet up to more spam," said Farrow.  
                "Perhaps mail servers should check to see if the sender
domain for a  particular piece of email resolves to the IP above. If it
does, forward the  email to Verisign," he adds. 
                Ray Bellis, technical director of ISP  Community
Internet, echoes these concerns. 
                "This frustrates spam  prevention techniques, where mail
servers verify that the *sender's* domain is  legitimate before
accepting an email," Bellis said. 
                "This breaks all  sorts of things horribly," he added. 
                Sys admins are still analysing the  effects of the
changes and there's dispute among experts like Beliis about the  effect
of the changes. 
                Already a backlash is building, with Net admins  being
urged to block Verisign's catch-all domain. This could all get very
messy.  
                 
                ------------------------------------------------------
                List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
                ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
                ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
                ------------------------------------------------------
                Other Internet Software Marketing Sites:
                Leading Network Software Directory:
http://www.serverfiles.com
                No.1 Exchange Server Resource Site:
http://www.msexchange.org
                Windows Security Resource Site:
http://www.windowsecurity.com/
                Network Security Library: http://www.secinf.net/
                Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
                ------------------------------------------------------
                You are currently subscribed to this ISAserver.org
Discussion List as: epoole@xxxxxxxxxxxxxxxxxxxx
                To unsubscribe send a blank email to
$subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 09-2003