[afnog] [AfrICANN-discuss] Google blames DNS insecurity
for Web site defacements
SM
sm at resistor.net
Mon May 18 12:52:13 SAST 2009
At 02:55 18-05-2009, Dr Yassin Mshana wrote:
>Now we are talking at last....is is or is there not a security issue?
This is a security issue.
>There have been a number of calls for a detailed technical
>description of what happened. Can someone in the technical side of
>activities please spare some minutes to educate us the concerned
>non-technical-users?
When you register a domain, you also have to specify the nameservers
for it. These nameservers are queried (DNS) to find the IP address
of the web server where the domain is hosted. Someone gained access,
through a programming error, to the site where the nameservers for
these domains are specified. The person changed the names of the
nameservers to other name servers under his/her control. Once they
did that, they had control over the domain and they could point it to
a site they were running. If you visited the web site for the
domain, you would still see the name of the domain in the address bar
of your browser. But you will get a different web page.
Let's say that you registered a domain called example.com. The
nameservers for example.com are ns1.example.net and
ns2.example.net. The actual web site (www.example.com) is hosted on
a server at IP address 192.0.2.1. When you type
http://www.example.com/ in your browser, your computer will connect
to IP address 192.0.2.1 and display the web page.
I change the nameservers for example.com without your authorisation
and set them to my nameservers (ns1.example.org and
ns2.example.com). ns1.example.org and ns2.example.org return a
different IP address (192.0.2.202) when they are queried for the IP
address of the www.example.com. When you type
http://www.example.com/ in your browser, your computer will now
connect to IP address 192.0.2.202 and display the web page. As I am
running the server at IP address 192.0.2.202, I got you to visit a
different web site and you won't notice that it is not the web site
you intended to go to. I could get you to download a virus to your
computer or else capture your login credentials if you generally have
to provide a user name and password to access content on the web site.
Regards,
-sm
More information about the AfrICANN
mailing list