On Thu, 16 Nov 2006, wayne wrote:
In <[EMAIL PROTECTED]> Douglas Otis <[EMAIL PROTECTED]> writes:
Check paypal's existing SPF records...
$ dig paypal.com TXT
;; Truncated, retrying in TCP mode.
;; MSG SIZE rcvd: 477
---
Weird. I get 413 bytes and no fallback to TCP.
The difference is due to "additional section" which includes ip addresses
of their NS servers. Paypal's DNS servers by default send all of them
even for non-NS queries. Depending on which dns server you use you may
not see it in response or your own dns server may not resend it to you
and may just cache locally ip address of the NS server it actually got
the answer from (but if you query multiple times it would learn):
--------------------------------------------------------------
dig @ns1.nix.paypal.com paypal.com txt
;; ADDITIONAL SECTION:
ns1.nix.paypal.com. 3600 IN A 64.4.240.70
ns1.sc5.paypal.com. 3600 IN A 64.4.244.70
ns2.nix.paypal.com. 3600 IN A 64.4.240.71
ns2.sc5.paypal.com. 3600 IN A 64.4.244.71
;; Query time: 14 msec
;; SERVER: 64.4.240.70#53(64.4.240.70)
;; WHEN: Thu Nov 16 00:41:41 2006
;; MSG SIZE rcvd: 477
--------------------------------------------------------------
This is BTW related to another form of attack where somebody
would make a request and together with it send unsolicited
response to caching DNS server to increase size of its response;
after that send short queries (from spoofed addresses) and
long answers are sent and you amplification DoS [or change
real answer to get resolver "in trouble" and confused]
DNS is full of those little gadgets for use by bad guys - look
at the link by Fergie if you want to get more embarrassed ...
--
William Leibzon
Elan Networks
[EMAIL PROTECTED]
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
