[AusNOG] DNS Devolution targeting the .com.au space - should we be worried?

Mark Andrews marka at isc.org
Thu Jun 1 15:54:59 EST 2017


In message <973FBD54AAA9674B9D262D36779FAAC6ABFAEE8D at MAIN.acs.intra>, Benjamin 
Ricardo writes:
>
> HI All,
> Looking for thoughts on something that we uncovered today in the wild
> (heard about it years ago but never seen it) regarding internal company
> domains that are using public .com.au domain suffixes and whether there's
> something that should be done here.
>
> The issue is caused by Microsofts Primary DNSSuffix Devolution and the
> potential for legitimate traffic to be redirected to the owner of the
> domain "com.com.au." if your machine has a domain name of
> "somehostname.somedomainname.com.au"
> It is possible in this situation for a non-qualified query to do the
> following:
>
> ibm.com.somehostname.somedomainname.com.au     (NXDOMAIN)
> ibm.com.somedomainname.com.au
> (NXDOMAIN)
> ibm.com.com.au
>                   (NOERROR)
>
> You can see the vulnerability.
> The problem is now that it appears that the owner of the domain
> "com.com.au" has started to register A records for big name domains such
> as .ibm.com in the hope of catching non-fully qualified queries to these
> addresses.

Good on them.  RFC 1535 was published in 1993.  They shouldn't be
getting these garbage queries in 2017.

> I can only think that this is going to end badly for people.
> Is this the sort of thing that could be flagged as abuse?
>
> Appreciate any comments.
>
> Ben

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the AusNOG mailing list