http://www.seoconsultants.com/tools/dns/cache/

then:

http://www.lurhq.com/cachepoisoning.html

This seems to becoming a big problem

Solutionsio for DNS Servers on WIN Systems,
http://support.microsoft.com/default.aspx?scid=kb;en-us;241352

http://support.microsoft.com/kb/316786/

Don't forget to read this one from LURHQ Security Systems too...

http://www.lurhq.com/ppc-hijack.html

Look at the screenshots, header responses, etc. and then read the last few paragraphs at the bottom of the page. Right above the graphic for the Affiliate PPC Hijacking Flowchart. Wow!

Good idea. Post a link to the instructions.

We're one step ahead of ya...

http://www.seoconsultants.com/tools/dns/administrators/

Good, then it'll be a race between the mopes who read the "how to hijack PPC clicks" document you link to, and everyone on Earth running a DNS server.

Good, then it'll be a race between the mopes who read the "how to hijack PPC clicks" document you link to, and everyone on Earth running a DNS server.I sure hope the DNS server administrators win the race on this one. I feel that the more public this becomes, the more instances we are going to find of this. Heck, from what I'm reading, it's been happening for years and many don't know it. :(

We've expanded our coverage on this to now include a specific page devoted to PPC Hijacking...

http://www.seoconsultants.com/tools/dns/hijacking/

And, we also have a list of surveys. One of those surveys is performed monthly and shows a "poisoners" list. It's pretty eye opening...

http://www.seoconsultants.com/tools/dns/surveys/

That ppc-hijack lurqhq link is pretty next to useless since all it shows is a number of redirects taking place. It does NOT show how the DNS cache was poisoned in the first place. By the way, cache poisoning is really old-hat. It has been known since 1990 and also how to counter against it. BIND only adopted those rules in 1997 though. It has been exploited for years, most famously in 1996, when one DNS registrar (AlterNIC) successfully exploited several name servers and set it up so that requests to their prominent competitor (InterNIC) would be sent to their own boxes.

Most of the stuff on your pages seems to be regurgitated stuff from other websites slightly rewritten and reformatted. It would be nicer to simply provide the links.

By the way, what I find a bit unethical is the fact that you're not pointing to the form on DNSreport.com's page. Instead you're providing a form on your page here (http://www.seoconsultants.com/tools/dns/) and trying to hide the fact that the tool in question is not yours and that the authors have their own form page (http://www.dnsreport.com/). Not only that, you're stealing their adwords traffic.

Incidentally, I have no problems with my DNS servers. I use dnscache (http://cr.yp.to/djbdns.html) for my DNS resolvers. Problem solved. Never had to update my software even once.

Hi Armen, Thanks for that extra info! :)

I'll have to have our server tech look into using dnscache on our server too. :cheers:

Armen,

Ed isn't exactly doing this stuff secretly, as you can see:
http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=1047197

By the way, what I find a bit unethical is the fact that you're not pointing to the form on DNSreport.com's page. Instead you're providing a form on your page here (http://www.seoconsultants.com/tools/dns/) and trying to hide the fact that the tool in question is not yours and that the authors have their own form page. Not only that, you're stealing their adwords traffic.ArmenT, if Scott at DNS Stuff had any issues with our setup which has been that way for years, I would hope he'd have said something already. We send quite a few referrers to his site.unethicalThem's fighten words!That ppc-hijack lurqhq link is pretty next to useless since all it shows is a number of redirects taking place. It does NOT show how the DNS cache was poisoned in the first place.Read the first section of that study from SANS, it will give you a description of how it was done.

http://isc.sans.org/presentations/dnspoisoning.php

Unethical != Illegal. I just think it would be the right thing to send the traffic to his form page. If you haven't noticed, he's put up his own adwords stuff on his form page. He doesn't have adwords in his result page. By putting up a form on your own page and sending the POST to his results page, you're depriving him of adwords traffic (while gaining some of your own, since your form page has its own ad links.). Just because he didn't complain (yet) doesn't mean it isn't nice.

Here's Part I of the links ArmenT. Does this make it easier for you? http://www.webmasterworld.com/forum23/4488.htm
2006-03-13 - DNS Recursion - Open DNS Servers
Allowing DNS Recursion is like running an Open SMTP Relay. This is a WebmasterWorld Featured Home Page Discussion about DNS Recursion.

http://www.dnsstuff.com/info/opendns.htm
Fixing Open DNS Servers
These instructions show you how to completely disable recursion, this is best practice. However, if you need to run a DNS server that is both authoritative and recursive/caching, you will need to check the DNS server documentation to find out how to enable recursive lookups only for your local network.

http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf
The Continuing Denial of Service Threat Posed by DNS Recursion
US-CERT (http://www.us-cert.gov/aboutus.html) has been alerted to an increase in distributed denial of service (DDoS) attacks using spoofed recursive DNS requests.

http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf
2006-03-30 - v2.0 Update (.pdf)
US-CERT is encouraging wide dissemination of this paper and organizations that currently have DNS recursion enabled are encouraged to disable it if possible.
2006 News on DNS Recursion http://www.commentwire.com/article_news.asp?guid=44F6BD06-8855-44AF-98A1-F319FF5895B9
2006-04-03 - US Takes Interest in DDoS Attacks
Senior levels of the US government are taking an interest in recent distributed denial-of-service attacks against the internet's domain name system, according to a person familiar with the situation.

http://www.icann.org/committees/security/dns-ddos-advisory-31mar06.pdf
2006-03-31 - DNS Amplification Attacks (.pdf)
In early February 2006, name servers hosting Top Level Domain zones were the repeated recipients of extraordinary heavy traffic loads. Analysis of traffic by TLD name server operators and security experts at large confirmed that DNS packets comprising the attack traffic exhibited characteristics associated with previously attempted DDoS attacks collectively known as amplification attacks.

http://www.niscc.gov.uk/niscc/docs/br-20060331-00256.html
2006-03-31 - DNS Recursion Attacks - v2.0 Update
US-CERT is encouraging wide dissemination of this paper and organizations that currently have DNS recursion enabled are encouraged to disable it if possible.

http://www.theregister.co.uk/2006/03/29/dns_ddos_attacks
2006-03-29 - DNS Hackers Target Domain Registrars
Network Solutions and Joker.com hit by DDoSsers. More to follow? Hackers have launched distributed denial of service attacks against the Domain Name System (DNS) servers of a brace of domain name registrars over recent days.

http://news.netcraft.com/archives/2006/03/26/domain_registrar_joker_hit_by_ddos.html
2006-03-26 - Domain Registrar Joker Hit By DDoS
Domain registrar Joker.com says its name servers are under attack, causing outages for customers. More than 550,000 domains are registered with Joker, which is based in Germany.

http://news.com.com/DNS+servers+do+hackers+dirty+work/2100-7349-6053468.html
2006-03-24 - DNS Servers Do Hackers Dirty Work
Cyber criminals are using DNS servers, the phonebooks of the Internet, to amplify their assaults and disrupt online business.

http://www.securiteam.com/securityreviews/5GP0L00I0W.html
2006-03-20 - SecuriTeam™ - DNS Amplification Attacks
This paper outlines a Distributed Denial of Service (DDoS) attack which abuses open recursive Domain Name System (DNS) name servers using spoofed UDP packets.

http://isotf.org/news/DNS-Amplification-Attacks.pdf
2006-03-17 - DNS Amplification Attacks (.pdf)
This paper outlines a Distributed Denial of Service (DDoS) attack which abuses open recursive Domain Name System (DNS) name servers using spoofed UDP packets. The risks involved with the recursive name server feature, as well as those of packet spoofing are well known, yet have been treated more as a theoretical issue.

http://news.zdnet.co.uk/internet/security/0,39020375,39257938,00.htm
2006-03-17 - DNS Recursion Leads to Nastier DoS Attacks
A new kind of denial-of-service (DoS) attack has emerged that delivers a heftier blow to organisations' systems than previously seen DoS threats, according to VeriSign's security chief.

http://news.yahoo.com/s/ap/20060316/ap_on_hi_te/internet_attack
2006-03-16 - Computer Researchers Warn of Net Attacks
This would be the Katrina of Internet storms, Silva said.

http://www.seoconsultants.com/tools/dns/recursion/
2006-03-13 - DNS Recursion - Open DNS Servers
On 2006 March 13, Monday, we posted a topic at WebmasterWorld concerning a threat that has been lying dormant for years and has now become a mainstream concern. It all has to do with your DNS servers and recursion.

http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=961378
2006-03-04 - Open DNS Servers
All domains on our Linux server have Open DNS servers error. How can we solve this error?

http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=953860
2006-02-28 - DNS Recursion - The New Open Relay Problem
Having a DNS server that allows recursion for the Internet is like running an open SMTP relay.

http://blogs.securiteam.com/index.php/archives/332
2006-02-28 - Recursive DNS Servers as a Growing DDoS Problem
The attack currently in the wild is a lot bigger and more complicated than this, but to begin, here is an explanation.

http://news.netcraft.com/archives/2006/02/10/payment_gateway_stormpay_battling_sustained_ddos_attack.html
2006-02-10 - Payment Gateway StormPay Battling Sustained DDoS Attack
Payment gateway StormPay is recovering from a distributed denial of service attack (DDoS) that has kept its web site offline for much of the past two days.

http://secunia.com/advisories/18690/
2006-02-02 - HP Tru64 UNIX BIND4/BIND8 DNS Cache Poisoning Vulnerability
The vulnerability is caused due to an error in DNS BIND4 and BIND8 when they are configured to be used as the target name server for DNS forwarders. This can be exploited in DNS cache poison attacks to e.g. redirect DNS clients to malicious or spoofed websites.2005 News on DNS Recursion http://news.com.com/Old+software+weakening+Nets+backbone,+survey+says/2100-7347_3-5913771.html
2005-10-25 - Old Software Weakening Net's Backbone
Many Domain Name System servers are wrongly configured or running out-of-date software, leaving them vulnerable to malicious attacks.

http://www.measurement-factory.com/press/20051024.html
2005-10-24 - 75-84% Provide Recursive Name Services
New survey reveals more than 75 percent of authoritative name servers have an increased vulnerability to DNS Pharming Attacks.

http://news.com.com/The+sorry+state+of+the+domain+name+game/2010-1038_3-5887937.html
2005-10-04 - The Sorry State of the Domain Name Game
What are companies doing to overcome this visible weakness? Not much. Most will continue to let problems linger and experience hours of unplanned downtime each year. About 230,000 name servers, or roughly 10 percent of those scanned, were susceptible to DNS Cache Poisoning.

http://www.circleid.com/posts/so_you_think_youre_safe_from_dns_cache_poisoning/
2005-08-17 - So You Think You're Safe from DNS Cache Poisoning?
However, this certainly isn't a problem limited to DNS software. And the problem is much bigger than the canonical BIND software.

http://news.com.com/DNS+servers--an+Internet+Achilles+heel/2100-7349_3-5816061.html
2005-08-03 - DNS Servers - An Internet Achilles' Heel
Hundreds of thousands of Internet servers are at risk of an attack that would redirect unknowing Web surfers from legitimate sites to malicious ones.

Unethical != Illegal. I just think it would be the right thing to send the traffic to his form page. If you haven't noticed, he's put up his own adwords stuff on his form page. He doesn't have adwords in his result page. By putting up a form on your own page and sending the POST to his results page, you're depriving him of adwords traffic (while gaining some of your own, since your form page has its own ad links.). Just because he didn't complain (yet) doesn't mean it isn't nice.ArmenT, based on your first reply, I'm not really going to jump in the mud with you here on this. If you feel there is a problem, contact Scott at DNS Stuff. Have him look at our implementation and see if he has any problems with it. If he does, we'll be happy to change things around. If not, then don't worry about it and find someone else's site who is deserving of your unwarranted bullshit comments.

Here ya go ArmenT, does this make it easier for you to copy or do whatever it is you need to do? http://news.com.com/DNS+servers--an+Internet+Achilles+heel/2100-7349_3-5816061.html
CNET News.com - DNS Servers - An Internet Achilles' Heel
"There are about 9 million DNS servers on the Internet, Kaminsky said. Using a high bandwidth connection provided by Prolexic Technologies, he examined 2.5 million. Of those, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned."

http://usergram.com/dns/poison.htm
usergram.com - Information on DNS Cache Poisoning
"The goal of DNS cache poisoning is to misdirect requests for DNS records to rogue DNS servers. The effect of DNS cache poisoning is to bypass the authoritative DNS name servers for a DNS zone."

http://dns.measurement-factory.com/surveys/poisoners.html
The Measurement Factory currently performs monthly surveys scanning for DNS Servers that are poisoned.

http://isc.sans.org/presentations/dnspoisoning.php
DNS Cache Poisoning

http://www.lurhq.com/cachepoisoning.html
DNS Cache Poisoning - The Next Generation

http://www.lurhq.com/ppc-hijack.html
Pay-Per-Click Hijacking

http://secunia.com/advisories/18690/
2006-02-02 - Secunia Advisories
HP Tru64 UNIX BIND4/BIND8 DNS Cache Poisoning Vulnerability

http://support.microsoft.com/default.aspx?scid=kb;en-us;241352
How to Prevent DNS Cache Pollution
"DNS cache pollution can occur if Domain Name System (DNS) "spoofing" has been encountered. The term "spoofing" describes the sending of non-secure data in response to a DNS query. It can be used to redirect queries to a rogue DNS server and can be malicious in nature."

http://support.microsoft.com/kb/316786/
Description of the DNS Server Secure Cache Against Pollution Setting
"After you enable this setting, the DNS server ignores DNS resource records that come from servers that are not authoritative for them. Although it can cause extra DNS queries, the security benefits far outweigh the cost of the extra queries, so enabling DNS cache pollution protection is highly recommended."

https://www.watchfire.com/securearea/whitepapers.aspx
HTTP Request Smuggling

http://httpd.apache.org/docs/2.2/caching.html
Apache HTTP Server Caching Guide - Cache Poisoning

http://dns.measurement-factory.com/surveys/openresolvers.html
Open Resolvers
An ongoing survey that searches for open DNS resolvers.

http://dns.measurement-factory.com/surveys/poisoners.html
http://dns.measurement-factory.com/writings/poisoning-nanog36.pdf
Cache Poisoners
An ongoing survey that searches for DNS cache poisoners.

http://dns.measurement-factory.com/surveys/200504.html
The Measurement Factory probed 5% of routed IPv4 space, or 70 million addresses, looking for nameservers. For those that replied, we also tried to determine their software and version.

http://dns.measurement-factory.com/surveys/200506.html
Zone Statistics
The Measurement Factory surveyed 1,000,000+ zones and their authoritative nameservers looking for zones and nameservers that:
- Advertise their software version
- Allow recursion
- Allow zone transfers
- Exist on the same subnet
- Have delegations which differ from authoritative NS records
- Have lame delegations
- Have questionable SOA values
- Have mismatched serial numbersThe Measurement Factory offers the following tools for analyzing DNS traffic: http://dns.measurement-factory.com/tools/dnstop/
Dnstop
A curses-based application that displays various tables of DNS statistics.

http://dns.measurement-factory.com/tools/dsc/
DSC - DNS Statistics Collector
The Measurement Factory's DNS Statistics Collector is designed to collect and aggregate statistics from busy authoritative servers, such as those used by TLD and root server operators.

http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl/
Open Resolver Test
The Measurement Factory's Open Resolver Test is an online tool that tests for the presence of open DNS resolvers.

http://dns.measurement-factory.com/tools/third-party-validation-tools/
Third Party Validation Tools
The Measurement Factory's links to tools developed by others that may be helpful in tracking down DNS configuration problems.

Most of the stuff on your pages seems to be regurgitated stuff from other websites slightly rewritten and reformatted. It would be nicer to simply provide the links.No, all of that stuff is hours upon hours upon hours of research. We then summarize and put into a logical order for our visitors. In the process, we give due credit to all resources. Isn't that what building content is all about?

And, by the way, everyone is welcome to copy all the links and post them on their sites. We'd like to see this out there as much as possible so the DNS Server Administrators of this world can plug that big gaping hole that is there.2005 August - There are about 9 million DNS servers on the Internet, Kaminsky said. Using a high bandwidth connection provided by Prolexic Technologies, he examined 2.5 million. Of those, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned.And, even though this has been around for years, the exploits are occurring again and they are much more technically advanced than they were previously. Read the freakin research first before you decide to jump on your bandwagon.

you boys would take the bickering to a private medium (e.g., PM or e-Mail).

Thanks.