Wednesday, May 20, 2015

Level 3 DNS Hijacking - 4.2.2.2 and others

I posted about Verizon's DNS servers and how some of them perform DNS hijacking for domains which don't resolve. While troubleshooting a problem today I found out to my surprise that Level 3's DNS severs do the same thing, one of which has some notoriety.

Level 3 DNS Servers:
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6

The odd ones (.1, .3, .5) will correctly reply with NXDOMAIN for FQDNs which don't exist. The even ones (.2, .4, .6) will instead resolve to two "SearchGuide" IPs:
~]$ dig @4.2.2.2 domain-i-just-made-up.fake +short
198.105.244.11
198.105.254.11
Any hosts that may have been configured to use these Level 3 DNS servers will have some interesting outgoing connections when trying to connect to internal hosts that aren't externally resolvable. Hopefully this will save a few minutes when investigated unusual connections to 198.105.244.11 or 198.105.254.11.
Posted by at

1 comment:

  1. Brad HeinNovember 6, 2015 at 3:25 PM

    Very useful, very cool. Thanks! Also note that if your gateway uses dnsmasq, you can use the bogus-nxdomain option to restore nxdomain responses to bad hostnames for devices on your network. I took it a step further and added a cron task to automatically email me if a hijack IP pops up. if [ "$(dig @192.168.1.1 domain-i-just-made-up.fake +short)" != "" ] ; then echo "DNS Hijack address detected $(dig @192.168.1.1 domain-i-just-made-up.fake +short)" | mail ME!@gmail.com ; fi`

    ReplyDelete

Subscribe to: Post Comments (Atom)