[72687] in North American Network Operators' Group
Re: VeriSign's rapid DNS updates in .com/.net
daemon@ATHENA.MIT.EDU (Randy Bush)
Thu Jul 22 21:28:15 2004
From: Randy Bush <randy@psg.com>
Date: Thu, 22 Jul 2004 15:27:37 -1000
To: Richard Cox <richard@mandarin.com>
Cc: nanog@nanog.org
Errors-To: owner-nanog-outgoing@merit.edu
> The key here is not registration but change. Currently, while spammers
> and other malfeasants have the ability to send out through compromised
> proxies and zombied PCs, there is little that can be done to identify
> them until they require a response, and then the return path provides
> some traceability via the IP addresses used, at least for nameservers.
>
> One of the latest spammer exploits involves relying on compromised
> PCs for hosting of websites and DNS: which, coupled with the ability
> to update the root DNS in close-to-real-time, means that the entire
> hosting operation including nameservers can be based on compromised
> boxes, often with an encrypted/obfuscated link back to the real point
> of control, and that is significantly harder to track. This becomes
> of rather greater significance if the hosting is for a phishing site.
>
> The root DNS is controlled through the registrar, and what contact
> information is held by the registrars frequently turns out to be at
> best highly imaginative.
aside from your confusion between the root and second level domain
names, this is still fud. all they need to do is register foo.bar
with delegation to their dns servers, and change a third level
domain name at will.
randy
