[Pdns-users] pdns_recursors trusts addtional section where it better shouldn't

Thomas Mieslinger miesi at india.com
Fri Feb 17 13:29:22 UTC 2017

Hello Peter,

On 17.02.17 14:17, Peter van Dijk wrote:
> Hello Thomas,
> On 17 Feb 2017, at 14:15, Thomas Mieslinger wrote:
>> On 17.02.17 13:56, Brian Candler wrote:
>>> On 17/02/2017 12:53, Thomas Mieslinger wrote:
>>>> With crafted glue in the tld zone and mailrelays using pdns_recursor
>>>> you could redirect mail traffic.
>>> If you have the ability to craft glue in the tld zone, surely you could
>>> also just change the delegation outright??
>> No, the idea is to create a new domain with malicious glue and then
>> send emails over the MXes to infiltrate. The MXes will do lookups,
>> which trigger the pdns_recursor cache poisoning.
> You are confused. This is impossible.

Based on what I have seen in the past days the following happens:

I clear the old mx0..5.ovh.net A records from recursor caches, a 
customer sends an email to bureauxdeventepro.com, the 213.186.33.XX ips 
get the new default answer for mxX.ovh.net.

Call me confused, but it happened every day this week.

>> My employers customers called in because they couldn't send emails to
>> ovh MXes. If the broken domains would have been malicious and glue ips
>> with port 25 open, the MXes would have delivered the emails to them.
> It would be very dumb of OVH to put malicious hosts in there. Why would
> they do such a thing?
>> So do registries accept something like "mx00.t-online.de A
>>" as hostobject for a NS of a domain?
> No.
>> In the case of .com/.net I have the feeling they accept all kind of
>> bullshit (see first mail of this thread)
> No, they don’t. Only ovh.net can make hosts under ovh.net.

Not really. At least another registrar can reuse host objects.

Cleared earlier this week:

dig asie4all.com. @

; <<>> DiG 9.10.4-P5 <<>> asie4all.com. @
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4893
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags:; udp: 4096
;asie4all.com.			IN	A

asie4all.com.		172800	IN	NS	mx1.ovh.net.
asie4all.com.		172800	IN	NS	mx2.ovh.net.

mx1.ovh.net.		172800	IN	A
mx2.ovh.net.		172800	IN	A

;; Query time: 9 msec
;; WHEN: Wed Feb 15 09:42:50 CET 2017
;; MSG SIZE  rcvd: 116
whois asie4all.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

    Domain Name: ASIE4ALL.COM
    Registrar: 1&1 INTERNET SE
    Sponsoring Registrar IANA ID: 83
    Whois Server: whois.1and1.com
    Referral URL: http://registrar.1and1.info
    Name Server: MX1.OVH.NET
    Name Server: MX2.OVH.NET
    Status: clientTransferProhibited 
    Updated Date: 02-feb-2017
    Creation Date: 29-jan-2017
    Expiration Date: 29-jan-2018

 >>> Last update of whois database: Wed, 15 Feb 2017 08:48:18 GMT <<<

More information about the Pdns-users mailing list