Even though it’s bad practice and insecure to use a fully qualified domain you don’t own as the internal Active Directory domain, some organizations have historically done so for convenience. Let’s say for example, an organization doesn’t own the domain name that’s the acronym of its full name followed by .com or .org because that domain was registered decades ago in the early days of the internet. However, it chooses to use it internally on its Windows network because it’s easy to remember and type and it’s not intended to be accessed externally.

However, networks are complex and their topology changes over time, so at some point some internal application or a computer taken outside the network could start making queries for that domain on the open internet, exposing information about the network. The organization could also accidentally expose an internal DNS resolver — a server that’s meant to resolve DNS for local clients — to the internet or will open a port in its router or firewall to direct DNS request to an internal resolver. This then becomes an “open resolver” on the internet and open resolvers are resources that attackers can abuse to launch DDoS attacks through techniques such as DNS reflection and amplification.

Normally MX record queries for a domain would be forwarded by a DNS resolver to the authoritative DNS server for that domain. If the domain doesn’t have an MX record, the response will be an NXDOMAIN (non-existent domain) error. Such should be the case for most of the queries sent by Muddling Meerkat because they are querying IP addresses on the internet for MX records for non-existing subdomains, probably with the intention of identifying open resolvers inside networks that would accept their requests.

Great Firewall of China DNS injection

What the Infoblox researchers observed is that the IP addresses making the queries were primarily Chinese and didn’t seem spoofed, making it more likely the group was using dedicated servers to perform the probing. Also, some of the chosen target domains had their authoritative name servers also hosted in China.

This means that the GFW was in the routing path for these requests and could therefore inject responses. Normally, GFW is known for injecting bogus DNS responses for domains and websites the government doesn’t want users to access and those responses will direct requests to a series of IP addresses probably controlled by the government.

Infoblox noticed similar GFW behavior for the MX queries initiated by Muddling Meerkat, where instead of NXDOMAIN errors, the responses included Chinese IP addresses that didn’t actually have port 53 open, so they weren’t DNS servers either. This was baffling because it is the first time when GFW spoofs MX responses and it appears to do so for non-existent and randomly generated subdomains that have no censorship value because many of the main targeted domains themselves are inactive and don’t serve any content.