[nlug] DNS Hijacking(?)

Thu, 25 Sep 2008 13:08:34 -0700 

Is anyone else having issues out there with DNS requests which should 
fail resolving to a search engine? This is with Butler net residential. 
I've written to Bill but would be interested to hear if it's happening 
with business or other ISPs (it's not happening with my work stuff). 
I've narrowed it down and it's like the requests to the root and top 
level domain servers are being hijacked...

 From my home network

    [EMAIL PROTECTED]:/etc# dig qweqpoqwiepoqiwepqiwe.com @d.gtld-servers.net

    ; <<>> DiG 9.4.1 <<>> qweqpoqwiepoqiwepqiwe.com @d.gtld-servers.net
    ; (1 server found)
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10473
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available

    ;; QUESTION SECTION:
    ;qweqpoqwiepoqiwepqiwe.com.     IN      A

    ;; ANSWER SECTION:
    qweqpoqwiepoqiwepqiwe.com. 60   IN      A       8.15.7.102
    qweqpoqwiepoqiwepqiwe.com. 60   IN      A       63.251.179.28

    ;; AUTHORITY SECTION:
    qweqpoqwiepoqiwepqiwe.com. 65535 IN     NS      WSC2.JOMAX.NET.
    qweqpoqwiepoqiwepqiwe.com. 65535 IN     NS      WSC1.JOMAX.NET.

    ;; Query time: 752 msec
    ;; SERVER: 192.31.80.30#53(192.31.80.30)
    ;; WHEN: Thu Sep 25 14:59:33 2008
    ;; MSG SIZE  rcvd: 131


 From Outside:

    [EMAIL PROTECTED]:~$ dig qweqpoqwiepoqiwepqiwe.com @d.gtld-servers.net

    ; <<>> DiG 9.4.1 <<>> qweqpoqwiepoqiwepqiwe.com @d.gtld-servers.net
    ; (1 server found)
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40084
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available

    ;; QUESTION SECTION:
    ;qweqpoqwiepoqiwepqiwe.com.     IN      A

    ;; AUTHORITY SECTION:
    com.                    900     IN      SOA     a.gtld-servers.net.
    nstld.verisign-grs.com. 1222372779 1800 900 604800 900

    ;; Query time: 56 msec
    ;; SERVER: 192.31.80.30#53(192.31.80.30)
    ;; WHEN: Thu Sep 25 14:59:57 2008
    ;; MSG SIZE  rcvd: 116

The IP for resolves to the same on both systems (192.31.80.30)

If this is a known hack, I'd like to hear too. Though everything looks 
clean as far as I can tell.

Rich

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to