As I pointed out on outages, it's not just AT&T's recursive DNS servers, its others as well.
This link queries 15 DNS servers and show at least three DNS servers that point to the "incorrect" A record of 208.91.197.132. http://www.mob.net/~ted/tools/dns.php3?domain=www.ben.edu And ben.edu's servers are supposed to pot to ns[12].bobbroadband.com, and there are some DNS servers out there, too, that have incorrect A records for those two NSes: http://www.mob.net/~ted/tools/dns.php3?domain=ns1.bobbroadband.com http://www.mob.net/~ted/tools/dns.php3?domain=ns2.bobbroadband.com Frank ============= Checking 15 U.S. NameServers... Looking Up: www.ben.edu Domain Server: google-public-dns-a.google.com Time To Live: 42153 IP Address: 38.100.120.100 Domain Server: resolver.qwest.net Time To Live: 933 IP Address: 38.100.120.100 Domain Server: vnsc-bak.sys.gtei.net Time To Live: 84227 IP Address: 38.100.120.100 Domain Server: ns-1.iastate.edu Time To Live: 83993 IP Address: 38.100.120.100 Domain Server: dns1.mci.com Time To Live: 300 IP Address: 208.91.197.132 Domain Server: ns1.us.prserv.net Time To Live: 300 IP Address: 208.91.197.132 Domain Server: ns2.mindspring.com Time To Live: 86400 IP Address: 38.100.120.100 Domain Server: dns1.rcsntx.sbcglobal.net Time To Live: 86400 IP Address: 38.100.120.100 Domain Server: aslan.adns.net Time To Live: 83993 IP Address: 38.100.120.100 Domain Server: resolver1.opendns.com Time To Live: 83994 IP Address: 38.100.120.100 Domain Server: ns2.bbspot.com Time To Live: 300 IP Address: 208.91.197.132 Domain Server: ns1.super-dns.com Time To Live: 83993 IP Address: 38.100.120.100 Domain Server: ns1.sprintlink.net Time To Live: 83994 IP Address: 38.100.120.100 Domain Server: cache01.ns.uu.net Time To Live: 86400 IP Address: 38.100.120.100 Domain Server: cachens1.mcleodusa.net Time To Live: 84229 IP Address: 38.100.120.100 ============== -----Original Message----- From: dns-operations-boun...@lists.dns-oarc.net [mailto:dns-operations-boun...@lists.dns-oarc.net] On Behalf Of Tim Huffman Sent: Friday, October 26, 2012 10:37 PM To: dns-operations@lists.dns-oarc.net Subject: [dns-operations] AT&T DNS Cache Poisoning? We are the primary DNS servers for the ben.edu domain. We seem to be having an issue with an AT&T server that is responding with incorrect A records for www.ben.eduand ben.edu. What it SHOULD be the response: nslookup www.ben.edu Server: 63.250.224.66 Address: 63.250.224.66#53 www.ben.edu canonical name = ben.edu. Name: ben.edu Address: 38.100.120.100 What 12.127.17.83 is responding with: > www.ben.edu Server: tbru.br.rs.els-gms.att.net Address: 12.127.17.83 Non-authoritative answer: Name: www.ben.edu Address: 208.91.197.132 This appears to be affecting only iPhones and iPads on the AT&T network. Is anybody else having problems with this? Are there any AT&T people on this list that can help? ------------------------------------------------------ Below is some more info from the very helpful David Conrad, and more of the email trail on the Outages.org mailing list: From: David Conrad [mailto:d...@virtualized.org] Sent: Friday, October 26, 2012 9:53 PM To: Tim Huffman Cc: outa...@outages.org Subject: Re: [outages] AT&T DNS problems? Hi, So I tried in 3 different places: Comcast residential service near San Jose, CA: 38.100.120.100 Multi-homed colo facility near Dallas, TX: 38.100.120.100 Multi-homed colo facility near London, UK: 208.91.197.32 Doing a bit of digging on the latter: % dig +short @12.127.17.83 www.ben.edu ns ns1432.ztomy.com. ns2432.ztomy.com. % whois -h whois.crsnic.net ztomy.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: ZTOMY.COM Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM Whois Server: whois.PublicDomainRegistry.com Referral URL: http://www.PublicDomainRegistry.com Name Server: USC4.AKAM.NET Name Server: USC5.AKAM.NET Status: ok Updated Date: 23-apr-2012 Creation Date: 22-nov-2007 Expiration Date: 22-nov-2014 [...] % whois -h whois.publicdomainregistry.com ztomy.com Domain Name: ZTOMY.COM Registrant: PrivacyProtect.org Domain Admin (cont...@privacyprotect.org) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 AU Tel. +45.36946676 Creation Date: 22-Nov-2007 Expiration Date: 22-Nov-2014 [...] Doing a google search on ztomy.com suggests that they provide malware/spyware/etc. Looking at the address being returned (208.91.197.132): % whois -h whois.arin.net 208.91.197.132 [...] NetRange: 208.91.196.0 - 208.91.199.255 CIDR: 208.91.196.0/22 OriginAS: AS40034 NetName: CONFLUENCE-NETWORK-INC NetHandle: NET-208-91-196-0-1 Parent: NET-208-0-0-0-0 NetType: Direct Allocation RegDate: 2011-04-15 Updated: 2012-03-02 Ref: http://whois.arin.net/rest/net/NET-208-91-196-0-1 OrgName: Confluence Networks Inc OrgId: CN Address: 3rd Floor, Omar Hodge Building, Wickhams Address: Cay I, P.O. Box 362 City: Road Town StateProv: Tortola PostalCode: VG1110 Country: VG RegDate: 2011-04-07 Updated: 2011-07-05 Ref: http://whois.arin.net/rest/org/CN [...] Doing a google search on confluence networks suggests that they host a lot of bad stuff (e.g., 'high yield investment programs' which appear to be yet another form of Ponzi scheme). I did see some suggestions of ztomy.com engaging in DNS cache poisoning, but no proof. Given the inconsistent answers from the AT&T name server, one possibility is that AT&T's resolvers are under a Kaminsky-style DNS cache poisoning attack. You might want to drop a note to the DNS-OARC (https://www.dns-oarc.net) dns-operations list -- I think there are probably some folks there from AT&T. Regards, -drc On Oct 26, 2012, at 6:26 PM, Tim Huffman <t...@bobbroadband.com> wrote: Yeah, it appears to be some kind of placeholder site, like what Network Solutions uses. What’s strange is that the AT&T server appears to be handing out alternating responses: # dig @12.127.17.83 www.ben.edu ; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35102 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ben.edu. IN A ;; ANSWER SECTION: www.ben.edu. 148 IN A 208.91.197.132 ;; Query time: 2 msec ;; SERVER: 12.127.17.83#53(12.127.17.83) ;; WHEN: Fri Oct 26 20:22:18 2012 ;; MSG SIZE rcvd: 45 [root@venus ~]# dig @12.127.17.83 www.ben.edu ; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38198 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ben.edu. IN A ;; ANSWER SECTION: www.ben.edu. 3427 IN CNAME ben.edu. ben.edu. 3427 IN A 38.100.120.100 ;; Query time: 2 msec ;; SERVER: 12.127.17.83#53(12.127.17.83) ;; WHEN: Fri Oct 26 20:22:23 2012 ;; MSG SIZE rcvd: 59 [root@venus ~]# dig @12.127.17.83 www.ben.edu ; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21252 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ben.edu. IN A ;; ANSWER SECTION: www.ben.edu. 142 IN A 208.91.197.132 ;; Query time: 1 msec ;; SERVER: 12.127.17.83#53(12.127.17.83) ;; WHEN: Fri Oct 26 20:22:24 2012 ;; MSG SIZE rcvd: 45 [root@venus ~]# dig @12.127.17.83 www.ben.edu ; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59907 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ben.edu. IN A ;; ANSWER SECTION: www.ben.edu. 3425 IN CNAME ben.edu. ben.edu. 3425 IN A 38.100.120.100 ;; Query time: 2 msec ;; SERVER: 12.127.17.83#53(12.127.17.83) ;; WHEN: Fri Oct 26 20:22:25 2012 ;; MSG SIZE rcvd: 59 Tim Huffman Director of Engineering Business Only Broadband 777 Oakmont Lane, Suite 2000, Westmont, IL 60559 Direct: 630.590.6012 | Main: 630.590.6000 | Fax: 630.986.2496 thuff...@bobbroadband.com | http://www.bobbroadband.com/ Cell: 630.340.1925 | Toll-Free Customer Support: 877.262.4553 <image001.png> Follow Us on LinkedIn | <image002.gif> Follow Us on Twitter please consider the environment prior to printing From: outages-boun...@outages.org [mailto:outages-boun...@outages.org] On Behalf Of Mike Phipps Sent: Friday, October 26, 2012 8:17 PM To: outa...@outages.org Subject: Re: [outages] AT&T DNS problems? 208.91.197.132 doesn’t have a PTR record associated with it, but a Whois query shows that it’s owned by Confluence Networks. However, check out what happens when you go to that IP address: $ nc -v 208.91.197.132 80 Connection to 208.91.197.132 80 port [tcp/http] succeeded! GET / HTTP/1.1 Host: ben.edu HTTP/1.1 200 OK Date: Sat, 27 Oct 2012 01:14:43 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.3.16 Vary: Accept-Encoding,User-Agent Content-Length: 712 Content-Type: text/html; charset=UTF-8 <frameset rows="100%,*" frameborder="no" border="0" framespacing="0"> <frame src="http://ben.edu/?fp=Jg2bOCRGpmyIHeO3rTIpYJil8%2FmPB1JibWwClQntyhm4NkwKKuCk1tgtON7LOnmXFywl8MRjELrKlXFXgOfhOw%3D%3D&prvtof=lJY3O5r6C%2F4Iypq21CJp7a1LuqqIdOWvKdwx5Xsl1x8%3D&poru=S87wfqjj4W%2B%2Fm8dSEqpuWZr20KvK367%2BCoGC%2FHW2e9kL6N%2Fl3h3wnDx5AfKbrhlZ&"> </frameset> <noframes> <body bgcolor="#ffffff" text="#000000"> <a href="http://ben.edu/?fp=Jg2bOCRGpmyIHeO3rTIpYJil8%2FmPB1JibWwClQntyhm4NkwKKuCk1tgtON7LOnmXFywl8MRjELrKlXFXgOfhOw%3D%3D&prvtof=HFakvtiyy0kNqKrmL%2FCjJLePEMwdGWTZLZa5%2BZpNnP4%3D&poru=9vrhUGVKGCquHB6uFFMUXFNxz1c%2FgIaDOeCSvkLz5HCrH2FI%2Fixpxvr8LwjYT7uO&">Click here to proceed</a>. </body> </noframes> I didn’t look beyond that, but it already looks fishy. Note that I used ben.edu in the hostname on that manual GET request. When I tried it with just the IP address, it said to go to searchremagnified.com. Mike Phipps Media Genesis, Inc. We are the primary DNS servers for the ben.edu domain. We seem to be having an issue with an AT&T server that is responding with incorrect A records for www.ben.eduand ben.edu. What it SHOULD be the response: nslookup www.ben.edu Server: 63.250.224.66 Address: 63.250.224.66#53 www.ben.edu canonical name = ben.edu. Name: ben.edu Address: 38.100.120.100 What 12.127.17.83 is responding with: > www.ben.edu Server: tbru.br.rs.els-gms.att.net Address: 12.127.17.83 Non-authoritative answer: Name: www.ben.edu Address: 208.91.197.132 This appears to be affecting only iPhones and iPads on the AT&T network. Is anybody else having problems with this? Are there any AT&T people on this list that can help? _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs