[FPSPACE] domain poisoning

robot at esper.com robot at esper.com
Fri Sep 14 09:02:00 EDT 2007


following up on yesterday's post from David Harland - 

The problem with spaceflightnow.com appears to have been fixed. At
least, I could not replicate it.

The phrase I was looking for yesterday was "domain poisoning". This
is a problem which exists at the provider level, not with the
registrar nor the owner nor the host of a domain. Basically, certain
large providers -- usually cable companies in my limited experience
-- have misconfigured domain name servers, usually with MS'
Enterprise o/s installed with stupid defaults. The flaw allows bad
actors to pollute the lookup tables with bogus pointers. See for
example this discussion:
http://lists.oarci.net/pipermail/dns-operations/2006-December/001144.h
tml

On June 14, the Central Florida Astronomy Society (www.cfas.org)
experienced this problem through some nogoodnik apparently exploiting
a security hole at Comcast. They were routing users to 64.74.223.198
which is a known nasty advertising site. If you Google this IP
address you will see lotsa other complaints from other organizations
like sports clubs, etc. Or Google the phrase "domain poisoning".
 
One way to fix the problem: 
an individual user (assuming Win XP) must:
- go to the Control Panel;
- click Network connections;
- change from automatically lookup DNS to lookup using
[205.152.37.23] (which should be a good lookup location for Comcast
users). Other users will have to call their providers to get that
suggested good IP address.


From: David M Harland <dave.harland at ntlworld.com>
>The excellent space news website
>http://www.spaceflightnow.com/
>seems to have been hijacked by a
>souvenir vendor...


Robert G Kennedy III, PE
www.ultimax.com




More information about the FPSPACE mailing list