The myfamily.com DNS Poisoning Problem Understood

Several people have observed a problem on their networks where various web sites, apparently at random, would be replaced by www.myfamily.com. The problem comes and goes without obvious cause, and affects different web sites at different times. I started encountering this problem a few days ago and tracked down the cause.

Something funny started happening with my web browser…

I clicked on a link to, say, www.imdb.com, and found myself looking at the home page for www.myfamily.com. My browser’s URL bar indicated http://www.imdb.com/ but the contents of the page were obviously not from that site. At first I wondered whether imdb had gone out of business and given up their domain name (hard to believe) or if someone had hijacked their domain name (unlikely but it has happened to other companies). Or had someone or something infected my browser, my computer, or my network infrastructure, taking control of what domains I would access? I had to understand the real cause.
I used nslookup to find the numeric IP address for www.imdb.com and it reported:

$ nslookup www.imdb.com.
Server:         209.157.144.2
Address:        209.157.144.2#53

Name:   www.imdb.com
Address: 66.43.25.130

I looked up this IP address in whois:

$ whois 66.43.25.130
[Querying whois.arin.net]
[whois.arin.net]

OrgName:    Myfamily.com, Inc.
OrgID:      MYFAMI-1
...

NetRange:   66.43.16.0 - 66.43.31.255
CIDR:       66.43.16.0/20
NetName:    MYFAMILY
...

Strange. The DNS (at least the DNS server on my network) is giving a bogus IP address when I look up this particular domain name. The bogus address seems to belong to a legitimate, and probably not malicious, organization. About this time, the problem disappeared (www.imdb.com started giving me the real imdb site) and I stopped investigating it for the moment.

A little while later, I typed in a URL to a different web site and got redirected to www.myfamily.com again. Actually, I didn’t even notice this at first, and stupidly typed in my username and password from the other site into myfamily.com’s login form! When I noticed what had happend, I was starting to realize the severe security implications of this problem. As far as I could tell, this was an unintentional misconfiguration or bug somewhere in the Internet’s DNS, but if someone started taking advantage of this error, they could presumably do a lot of harm. I started searching the web to see if anyone else had seen this problem. I found about 3 or 4 sites on the web that mentioned the exact same symptom, even including www.myfamily.com as the site being substituted.

Investigation

I observed that the immediate cause of the problem was that my local DNS server was returning the same bogus result about 10% of the time, apparently at random, for domains ending in .com. Once this bogus result gets into my DNS server for a given domain, it stays there for about 15 minutes and then gets deleted, allowing that domain to begin normal operation again. I could tell by dumping out the state of my DNS server’s cache that the bogus data had been placed there by the name server at [66.43.24.8]. But there shouldn’t be any reason that my name server would ask [66.43.24.8] for data about, e.g. www.imdb.com. It should be going to one of the .com TLD servers for that kind of data. Then I noticed a few more interesting facts:

The name server at [66.43.24.8] is configured in such a way that any address query sent to it always returns the same answer: 66.43.25.130 – the IP address of www.myfamily.com. That’s right, if you ask this name server what is the IP address for www.imdb.com or anything else, it will give you the myfamily.com web server’s address instead. And for any MX (mail exchanger) query sent to it, it always sends you to the mta.myfamily.com mail server.

My name server believed that [66.43.24.8] and [66.43.24.8] (a.k.a. mfns1.myfamily.NET and mfns2.myfamily.NET) were two of the .com TLD servers:

$ nslookup -type=ns com.
Server:         209.157.144.2
Address:        209.157.144.2#53

Non-authoritative answer:
com     nameserver = G.GTLD-SERVERS.NET.
com     nameserver = H.GTLD-SERVERS.NET.
com     nameserver = I.GTLD-SERVERS.NET.
com     nameserver = J.GTLD-SERVERS.NET.
com     nameserver = K.GTLD-SERVERS.NET.
com     nameserver = L.GTLD-SERVERS.NET.
com     nameserver = M.GTLD-SERVERS.NET.
com     nameserver = A.GTLD-SERVERS.NET.
com     nameserver = B.GTLD-SERVERS.NET.
com     nameserver = C.GTLD-SERVERS.NET.
com     nameserver = D.GTLD-SERVERS.NET.
com     nameserver = E.GTLD-SERVERS.NET.
com     nameserver = mfns2.myfamily.NET.
com     nameserver = mfns1.myfamily.NET.
com     nameserver = F.GTLD-SERVERS.NET.

That explained why it was (sometimes) going to the evil name servers [66.43.24.8] and [66.43.24.9] and asking them to resolve things. But how did these two servers manage to get themselves listed in such an important list in my name server? I had heard of DNS cache poisoning attacks, and I even suspected that the old version of the BIND software I’m running is probably vulnerable to them, but this really didn’t seem like any kind of intentional attack. Who would intentionally try to redirect my web browser to something as (apparently) innocuous as www.myfamily.com?

Restarting my name server would always fix the problem, but it would always recur within an hour or so. Using tcpdump, I started capturing and logging all packets going to or from my name server to try to isolate the event that poisoned the .com name server list. I eventually spotted it:

11:57:16.860000 myns.domain > 66.43.24.8.domain: 37457+ MX? calvin.bellahs.com. (36)
11:57:16.960000 66.43.24.8.domain > myns.domain: 37457* 1/2/3 MX mta.myfamily.com. 10 (165) (DF)
11:57:57.510000 myns.domain > 66.43.24.9.domain: 37461 A? www.mastergrip.com. (36)
11:57:57.610000 66.43.24.9.domain > myns.domain: 37461* 1/2/2 A myfamily.com (136) (DF)

Something asked my name server to find the mail exchanger for the domain calvin.bellahs.com, and my name server passed on this query to [66.43.24.8], which responded as it always does (”mta.myfamily.com”). (Incidentally, the “something” was my mail server trying to reject some spam that had been forged with a from address @calvin.bellahs.com.)