A threat group known as Muddling Meerkat, likely linked to China, has been conducting sophisticated domain name system (DNS) activities since October 2019. The group has the ability to control the Great Firewall and uses DNS open resolvers to send queries from Chinese IP space. Muddling Meerkat triggers DNS queries for mail exchange (MX) and other record types to domains not owned by them but under well-known top-level domains. Cloud security firm Infoblox has detected over 20 such domains. The group elicits a special kind of fake DNS MX record from the Great Firewall, indicating a relationship with the GFW operators. The exact motivation behind the activity is unclear, but it may be part of an internet mapping effort or research. The presence of false MX record responses from Chinese IP addresses is a remarkable feature of Muddling Meerkat. The full scope of the operation cannot be seen in any one location, raising concerns about undetected Chinese prepositioning operations. Muddling Meerkat's expertise in DNS and its ability to bypass the Great Firewall is concerning. The unexplained internet traffic, initially detected in October 2019, could be a form of reconnaissance that uses open resolvers and 'super-aged' domains to evade DNS block lists. The purpose of the traffic will require further research to determine. Infoblox collaborated with other organizations to uncover Muddling Meerkat's activities, but the operation remains a complete mystery. [e2b96b57] [41ac3cff] [c8cb81bc]
Infoblox Inc., a leader in cloud networking and security services, has discovered a DNS operation called Muddling Meerkat that has the ability to control China's Great Firewall. Muddling Meerkat conducts sophisticated DNS activities, likely propagated by Chinese state actors, to bypass traditional security measures and probe networks worldwide. The operation creates large volumes of widely distributed DNS queries that are propagated through the internet via open DNS resolvers. Infoblox Threat Intel, with its expertise in DNS, has blocked the domains used by Muddling Meerkat to ensure the safety of its customers. The operation, which has been operating covertly since at least October 2019, demonstrates a strong understanding of DNS and highlights the importance of having a DNS detection and response strategy in place. Infoblox Threat Intel also introduced a new feature called Zero Day DNS, which detects and blocks attacks launched from domains immediately used after registration. The full report on Muddling Meerkat can be found on Infoblox's website. [81f0d8a0]
A French court has ordered Google, Cloudflare, and Cisco to poison their DNS resolvers to prevent circumvention of blocking measures targeting around 117 pirate sports streaming domains. Canal+ has permission to deindex the sites from search engine results. Canal+ went to court in France in 2023 to tackle pirate sports streaming sites and ISPs were required to implement technical measures. In response, internet users changed their settings to use different DNS providers. Canal+ then demanded measures against public DNS providers. The Paris judicial court ordered Google, Cloudflare, and Cisco to implement measures similar to those in place at local ISPs to prevent French internet users from accessing pirate domains. Google attorney Sébastien Proust estimated that the number of users likely to be affected by DNS blocking at Google, Cloudflare, and Cisco amounts to 0.084% of the total population of French Internet users. The court rejected arguments against blocking, stating that Canal+ has the legal right to request a blocking injunction. Google intends to comply with the order. [2ab6f497]