DNS fuckery: investigation leads to a pair of servers in China
The situation came to my attention on April 30 and nothing has changed since. Random IP addresses for 8kun have been infecting DNS servers worldwide. It does not appear, at this point, that there is a "trap" waiting to be sprung. I finally decided to write a bot to poll the DNS servers in an effort to gather information which might lead to some theory of what is going on besides "black hats hacking the Internet".
I tested nearly 300 DNS servers and what I found was a huge discrepancy where some servers are badly poisoned at a rate as high as 30% and other servers at a rate of just 5% or less. It seems to be always the same servers affected at about the same rate. The problem is not worse by region or service provider so that seems to rule out the possibility that it is a targeted attack. What could be going on? I decided to learn more about how DNS works and find some way to trace the DNS lookups across the Internet to find out if there could be a specific server in the chain that might be at fault.
DNS works in a hierarchical fashion. There are 13 root servers which are the first step to resolving Top Level Domains (TLD) like "com" or "top". The root server returns a list of TLD servers which will either deliver the final result or a list of "authoritative" servers which must be queried next. Generally, you don't expect a final result from a TLD server and that would be a red flag if it happens. The next step, querying the authoritative server, is usually the final step which leads to one or more IP addresses as the answer to the original question. In the case of "8kun.top", the authoritative servers are "ns1.vanwanet.com" and "ns2.vanwanet.com". I tested these servers and found no instance of a bad IP address.
The TLD servers for the "top" domain are these:
a.zdnscloud.com (203.99.24.1), b.zdnscloud.com (203.99.25.1), c.zdnscloud.com (203.99.26.1), d.zdnscloud.com (203.99.27.1),
f.zdnscloud.com (114.67.16.204), g.zdnscloud.com (42.62.2.16), i.zdnscloud.com (IPv6 address), j.zdnscloud.com (IPv6 address)
Go here to perform the DNS trace: https://simpledns.plus/lookup-dg
Run the DNS trace a few times (just reload the page) until you see a message like this:
Received response:
''-Answer: A-record for 8kun.top = 199.96.58.177''
*** Lame response - not authoritative and no referral
This happens ONLY with "f.zdnscloud.com" and "g.zdnscloud.com". These two servers are "ground zero" for the DNS fuckery.
Continued next post…