Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Verisign Hijack all possible .com .net domains and destroy Email::Valid, Net::DNS, gethostbyname() etc

by tachyon (Chancellor)
on Sep 30, 2003 at 05:49 UTC ( #295185=perlmeditation: print w/ replies, xml ) Need Help??

For some this is relatvely old news, as the change dates from 15th Sept 2003. In case you don't yet know (or sort of know but have not really considered what it means) - Have a look at this Installing Email::Valid or try this:

use Socket; for ( 0..100 ) { $domain = "i-am-a-domain-that-should-not-resolve-but-i-will-$_.com +"; $ip = inet_ntoa(inet_aton($domain)); print "$domain\t$ip\n"; } __DATA__ i-am-a-domain-that-should-not-resolve-but-i-will-0.com 64.94.110.11 i-am-a-domain-that-should-not-resolve-but-i-will-1.com 64.94.110.11 i-am-a-domain-that-should-not-resolve-but-i-will-2.com 64.94.110.11 i-am-a-domain-that-should-not-resolve-but-i-will-3.com 64.94.110.11 i-am-a-domain-that-should-not-resolve-but-i-will-4.com 64.94.110.11 i-am-a-domain-that-should-not-resolve-but-i-will-5.com 64.94.110.11 i-am-a-domain-that-should-not-resolve-but-i-will-6.com 64.94.110.11 i-am-a-domain-that-should-not-resolve-but-i-will-7.com 64.94.110.11 i-am-a-domain-that-should-not-resolve-but-i-will-8.com 64.94.110.11 i-am-a-domain-that-should-not-resolve-but-i-will-9.com 64.94.110.11 i-am-a-domain-that-should-not-resolve-but-i-will-10.com 64.94.110.1 +1

If you are trying to validate that a domain exists Verisign have now ensured that it will appear to exist at 64.94.110.11 (unless it really does exist) If this IP stays the same it is at least a fixable issue. If you are currently doing anthing that checks to see if a domain exists and splits logic if it does not it will now be totally broken. Just some to the code that will now not behave as expected:

  • Net::DNS (will always resolve a .com or .net domain)
  • Email::Vaild (all .com/.net domains are now valid, even if they are totally fake)
  • inet_aton()
  • gethostbyname()

There is a discussion of the ramifications here There are a number of DNS server patches already out http://lists.insecure.org/lists/bugtraq/2003/Sep/0276.html

Update thanks Moriarty

This only affects TLDs controlled by Verisign et al, but as that includes .com and .net we are not talking about a small problem.

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Comment on Verisign Hijack all possible .com .net domains and destroy Email::Valid, Net::DNS, gethostbyname() etc
Download Code
Re: Verisign Hijack all possible domains and destroy Email::Valid, Net::DNS, gethostbyname() etc
by Moriarty (Abbot) on Sep 30, 2003 at 05:56 UTC
    Alternatively, add a country id (eg .au). These are not controlled by verisign and nobody has hijacked them ... yet.
      Well, Verisign DOES manage .tv! Which IS a country based domain. But I figure that the government concerned did not want to play, or was a t least waiting to see what the reaction was.

      There were one or two other TLD's doing this earlier, but I noticed when the Verisign do-do hit the fan the others stopped pretty suddenly!

      jdtoronto

        To be fair, Tuvalu (the .tv country,) is leasing their ccTLD. I remembered reading about it when it happened.
        The good old CIA World Factbook mentions this item here.
Re: Verisign Hijack - Patches may be available
by Limbic~Region (Chancellor) on Sep 30, 2003 at 06:03 UTC
    tachyon,
    I thought I had seen this article posted here at the Monastery, but I could be wrong. It is an interview between O'Reilly Networks and Paul Vixie. chromatic is listed as the author. Currently there is something you might be able to do. Pressure your DNS provider to apply a patch and enable a feature if possible.

    Cheers - L~R

      Pressure your DNS provider to apply a patch and enable a feature if possible.

      That's a start, but it definately isn't a solution. Verisign does not own the .com and .net domains. Verisign needs to be reminded of its responsibilities and how easily they could be taken away. They should also have realized the plethora of legal problems this will create for them (think trademarks amoung others).

      Common sense would dictate that Verisign will remember (or be forcefully reminded of) its responsibilities and put this silly action behind them. Unfortunately common sense is in short supply these days.

      If you're truly interested in preventing these type of abuses in the future (and fixing this situation) I'd suggest getting involved immediately. Write your representatives (standard rules apply: be nice, coherent, and know what you're talking about) and take further steps as necessary.

        If you're truly interested in preventing these type of abuses in the future (and fixing this situation) I'd suggest getting involved immediately. Write your representatives (standard rules apply: be nice, coherent, and know what you're talking about) and take further steps as necessary.
        For the people who don't live in the States, do as I did, and sign the online petition.
        "Stop Verisign DNS Abuse"
        http://www.whois.sc/verisign-dns/

      Thanks for the link. For anyone who is patching their BIND servers details are here. You add this to named.conf (if what is shown on the patch page seems a little obique :-)

      zone "com" { type delegation-only; }; zone "net" { type delegation-only; };

      Happiness, all is back to normal :-)

      [root@devel3 root]# dig @localhost verisign-are-pirates.com ; <<>> DiG 9.2.3rc4 <<>> @localhost verisign-are-pirates.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12600 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;verisign-are-pirates.com. IN A ;; Query time: 116 msec ;; SERVER: 127.0.0.1#53(localhost) ;; WHEN: Tue Sep 30 07:26:26 2003 ;; MSG SIZE rcvd: 42 [root@devel3 root]#

      cheers

      tachyon

      s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

        (if what is shown on the patch page seems a little obique :-)

        The way this works is actually pretty simple. The DNS servers for .com and .net should only send to you NS records. NS records are like pointers to other DNS servers. This patch rejects everything except NS records when they come from the VeriSign servers. Now when they send to you an A record (which has the IP address inside it), it will ignore it and the patch will instead give you the "does not exist" response.

        This is a good way to work around the problem, because it will still work correctly even if VeriSign changes the IP address that they use.

        The Acme::DNS::Correct module does not work this way. It merely looks for the hardcoded IP address in the response and filters it out. It will not work if the IP address is ever changed. Well, it's only an Acme module, after all.

Re: Verisign Hijack all possible .com .net domains and destroy Email::Valid, Net::DNS, gethostbyname() etc
by hardburn (Abbot) on Sep 30, 2003 at 13:42 UTC

    Might I suggest Acme::DNS::Correct?

    ----
    I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
    -- Schemer

    Note: All code is untested, unless otherwise stated

      What's the world coming to, broken DNS and a useful Acme:: module! Whatever next ;-) I've patched all of our (6) DNS servers at the source but thanks for the link.

      cheers

      tachyon

      s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Re: Verisign Hijack all possible .com .net domains and destroy Email::Valid, Net::DNS, gethostbyname() etc
by cLive ;-) (Parson) on Oct 01, 2003 at 04:45 UTC
    <plug> my ISP patched Bind within 24hrs of the patch's release, stopping any of these problems from affecting me. If you're in LA, I thoroughly recommend them - very geek friendly. Brand X Internet</plug>

    cLive ;-)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlmeditation [id://295185]
Approved by Zaxo
Front-paged by HyperZonk
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (8)
As of 2014-09-21 17:49 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (173 votes), past polls