[dns-operations] dns mud report, continued

Paul Vixie paul at vix.com
Sun Nov 18 15:54:21 UTC 2007


this is just too darned much fun, but i promise i'll stop eventually.  here's
a 30 minute sample of A RR's in non-error responses where at least one of the
addresses is in a private address space.  i did not include 127/8 since that's
what RBL's use and the file is full of that and it's nonmeaningful.  should've
used 0/8, i know.

first, 169.254/16:

1195398264 an renci.org IN A 600,152.54.4.10 600,152.54.4.20 \
  600,169.254.37.111 152.54.4.3
1195398899 an law.utah.edu IN A 600,155.97.64.12 600,155.97.64.13 \
  600,155.97.64.15 600,169.254.9.141 600,192.168.234.235 155.97.64.15

i think law.utah.edu should get an unclear-on-the-concept award for using
both a 192.168/16 and an 169.254/16 address in the same response.

1195398663 an mx23.sjc.ebay.com IN A 3600,10.6.182.123 66.135.207.138
1195398803 an mx12.sjc.ebay.com IN A 3600,10.6.182.112 66.135.207.138
1195399882 an mx19.sjc.ebay.com IN A 3600,10.6.182.119 66.135.223.137

this is, frankly, very surprising.  ebay's technical people are top notch.

as for the rest, it's a mixture of people who dual-home a server name in both
public and private space, and people who just plain leak.  the danger in all
this is that the private address designated by these A RRs may actually mean
something in the querier's own addressing domain.  this is the application
for which BIND9's "view" feature was developed.  rfc 1918 advises folks to
use "split horizon dns" (i know because i contributed some text about it) but
it's somewhat clear from this small snapshot that folks aren't reading rfc's:

1195398023 an ftpt.dgut.edu.cn IN A 86400,172.30.0.29 219.222.191.9
1195398043 ar f.0f000000.a.f.72633130.6f76657274757265.636f6d.80h481ebe69.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195398061 an austin.utexas.edu IN A 600,172.16.80.42 600,172.16.80.50 600,172.16.80.58 600,172.16.80.66 129.116.87.189
1195398073 ar f.2d000000.a.f.777777.6b6179616b.636f6d.80hccbc8817.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195398086 an boedepartners.com IN A 600,172.16.10.145 600,216.88.132.5 600,216.88.132.41 600,216.88.132.42 65.122.117.126
1195398133 ar rosner2k.rosner.zgora.pl IN A 3600,10.60.10.1 3600,217.96.56.34 195.117.82.122
1195398220 ar broken.sttc.net.au IN A 3600,10.0.0.254 61.9.214.52
1195398225 ar svrdc.epsa.com.ar IN A 3600,192.168.0.5 200.49.207.41
1195398263 an evolve-d.com.tw IN A 600,59.124.120.62 600,192.168.0.1 59.124.120.62
1195398271 ar 3cgoods.com.tw IN A 3600,192.168.1.100 3600,211.20.5.108 211.20.5.108
1195398283 ar f.1d000000.a.f.74626e30.676f6f676c65.636f6d.80h42660163.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195398426 ar mx1.cult.com IN A 86400,10.23.42.11 204.228.229.165
1195398445 ar mx1.obscene.com IN A 86400,10.23.42.11 204.228.229.164
1195398458 ar nsmf-dr.gaylord.com IN A 3600,10.32.3.24 64.8.67.3
1195398468 ar mx1.ufo.com IN A 86400,10.23.42.11 204.228.229.165
1195398533 ar mx1.blade.com IN A 86400,10.23.42.11 204.228.229.164
1195398535 an mailgw.moviflor.net IN A 1200,10.1.100.20 194.65.130.210
1195398535 an dalesmta-6.messageone.com IN A 1200,10.110.5.26 72.9.106.82
1195398537 an coastacm.com IN A 600,192.168.1.1 600,192.168.1.2 600,192.168.1.3 600,192.168.1.4 600,192.168.1.6 64.183.63.157
1195398547 ar f.21362600.a.f.777777.6f7269676f.6875.80hc3e4f091.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195398550 ar f.1b000000.a.f.777777.757064617465.6d6963726f736f6674.636f6d.80hcf2ed17e.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195398575 ar mx1.baroque.com IN A 86400,10.23.42.11 204.228.229.164
1195398605 an download.semi.ac.cn IN A 3600,172.16.70.100 159.226.228.2
1195398709 ar f.1d000000.a.f.777777.676f6f676c65.636f6d.80hd155a563.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195398721 ar f.1b000000.a.f.777777.7733.6f7267.80h801e3436.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195398723 ar f.0f000000.a.f.6c697665757064617465.73796d616e7465636c697665757064617465.636f6d.80h504357a9.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195398730 ar f.2d000000.a.f.777777.6775657374696e666f726d616e74.636f6d.80hd874e1fa.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195398732 ar f.21000000.a.f.6731.696d7778.636f6d.80hd06f8057.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195398733 ar f.0f000000.a.f.737065.6174646d74.636f6d.80hccbc881f.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195398734 ar f.36000000.a.f.633133.7a65646f.636f6d.80h4d437006.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195398743 ar salweb01.ci.salinas.ca.us IN A 3600,192.168.0.2 206.13.28.11
1195398818 ar mx1.augustus.com IN A 86400,10.23.42.11 204.228.229.165
1195398859 ar ns.chavales.net IN A 259200,10.0.0.66 259200,10.0.0.66 259200,10.0.0.149 259200,213.97.194.237 259200,213.97.194.237 259200,213.97.194.237 259200,213.97.194.237 259200,213.97.194.237 259200,213.97.194.237 259200,213.97.194.237 259200,213.97.194.237 259200,213.97.194.237 259200,213.97.194.237 259200,213.97.194.237 259200,213.97.194.237 259200,213.97.194.237 259200,213.97.194.237 259200,213.97.194.237 259200,213.97.194.237 259200,213.97.194.237 213.97.194.237
1195398885 an npd.ufes.br IN A 600,172.20.6.2 600,172.30.2.28 600,200.137.65.124 200.137.65.126
1195398887 an nelly.listen.com IN A 1800,10.1.1.13 207.188.7.20
1195398927 ar f.36000000.a.f.76696577.6174646d74.636f6d.80h41cbe528.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195398927 ar f.0f000000.a.f.737065.6174646d74.636f6d.80h3fec5551.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195398978 ar asuw3.west.asu.edu IN A 3600,10.245.0.19 3600,149.169.194.19 129.219.13.81
1195398982 ar f.1b000000.a.f.706978656c.7175616e747365727665.636f6d.80h40983ba5.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399011 ar carter.pridehealth.com IN A 14400,192.168.1.101 14400,216.37.128.101 216.37.128.102
1195399082 an plmplsg.app.bio-rad.com IN A 3600,10.42.18.212 198.211.153.60
1195399118 ar mx1.seamen.com IN A 86400,10.23.42.11 204.228.229.164
1195399134 an gideon.midian.com.au IN A 1200,192.168.1.67 203.41.62.67
1195399141 ar f.1b000000.a.f.646f776e6c6f6164.77696e646f7773757064617465.636f6d.80h50434a6f.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399145 an leech.cs.umd.edu IN A 3600,172.16.4.158 128.8.128.7
1195399190 an kick.lax.ws.untd.com IN A 1200,10.133.10.10 64.136.44.115
1195399219 ar marvin.inside.atsite.net IN A 3600,10.1.3.28 3600,10.1.3.218 206.71.186.207
1195399268 an aegir.com IN A 600,192.168.0.25 600,192.168.0.35 600,192.168.0.45 600,192.168.0.53 600,192.168.0.54 69.225.150.134
1195399273 ar f.0f000000.a.f.6673.65696d.6d6573736167656c616273.636f6d.80hce119665.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399273 an htbizdc2.htbizlive.net IN A 3600,10.10.10.110 3600,64.74.118.110 64.95.61.4
1195399273 ar htbizdc1.htbizlive.net IN A 3600,10.10.10.109 3600,64.74.118.109 64.95.61.4
1195399283 ar f.1d000000.a.f.66786665656473.6d6f7a696c6c61.6f7267.80h3ff5d115.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399283 ar f.1b000000.a.f.7069637475726573.616f6c.636f6d.80h400c810f.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399317 ar f.0f000000.a.f.696e636c75646573.6561737932.636f6d.80h42718b96.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399343 ar f.1f301d00.a.f.6173682d76323137.617368.796f7574756265.636f6d.80h400f77aa.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399409 an proxy1077.tm.cbsig.net IN A 3600,10.180.24.145 170.20.0.17
1195399424 an go-lan.mochibot.com IN A 600,10.0.0.218 66.218.71.205
1195399453 ar ns.arcaserver.com IN A 3600,192.168.2.180 195.130.132.17
1195399464 ar mx1.antiquity.com IN A 86400,10.23.42.11 204.228.229.164
1195399478 ar f.37000000.a.f.61383235.63.616b616d6169.6e6574.80hd02ea322.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399479 ar f.37000000.a.f.6131393137.63.616b616d6169.6e6574.80hd02ea358.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399512 an wap.mobinil.com IN A 3600,10.1.1.10 213.131.64.3
1195399596 ar ns2.devstreet.com IN A 3600,10.0.25.77 69.25.50.154
1195399596 ar ns1.devstreet.com IN A 3600,10.0.25.68 69.25.50.154
1195399622 ar f.1b000000.a.f.736d6578382d6173.616374697665757064617465.7472656e646d6963726f.636f6d.80h5435b09a.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399622 ar f.0f000000.a.f.6c697665757064617465.73796d616e7465636c697665757064617465.636f6d.80hccbc8811.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399657 ar f.36000000.a.f.616e.7461636f6461.6e6574.80h080c6021.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399673 ar badesi.sb.cordblood.net IN A 3600,172.18.25.97 72.5.119.138
1195399687 an sileas.com IN A 600,192.168.140.67 600,206.117.140.66 206.117.140.66
1195399714 an octansd.mofile.com IN A 7200,192.168.0.10 125.46.68.168
1195399717 ar f.1b000000.a.f.657472757374646f776e6c6f616473.6361.636f6d.80h50435728.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399721 an mail.cminds.com IN A 86400,192.168.1.15 64.65.60.28
1195399724 ar mx1.qd.com IN A 86400,10.23.42.11 204.228.229.164
1195399725 ar ns1-r.ebcon.com IN A 172800,192.168.1.11 70.89.155.202
1195399731 ar f.1f000000.a.f.777777.696e73746170756e646974.636f6d.80h3ff78d26.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399749 ar f.0e000000.a.f.777777.736f6e79626d67.636f6d.80haaabf867.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399749 ar f.0e000000.a.f.636769.736f6e79626d67.636f6d.80hd84a9ab7.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399803 ar f.0d1f0000.a.f.3634.3132.313835.313139.80h400cb977.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399844 an patriots.tch.harvard.edu IN A 600,10.1.101.21 134.174.20.16
1195399856 ar f.36000000.a.f.616473.6164736f6e6172.636f6d.80hd0443b0a.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195399868 an ucok.edu IN A 86400,172.16.16.26 86400,172.16.16.27 204.154.117.23
1195399892 an superiordata.net IN A 600,192.168.4.100 600,192.168.5.254 600,192.168.81.1 600,192.168.247.1 76.84.18.59
1195399941 ns net0.208.45.218.in-addr.arpa IN NS 3600,10.104.co.jp 3600,dns.104.com 3600,dns2.104.com 61.115.192.245
1195399942 an yxjk32.crep.com.cn IN A 1200,172.22.64.32 221.229.242.70
1195399952 an wftp.ccps.gov.cn IN A 3600,10.2.1.213 202.108.87.66
1195399972 an enginuityinc.com IN A 600,192.168.100.201 600,192.168.100.202 72.16.197.55
1195400012 ar f.1e000000.a.f.7573.6d6731.6d61696c.7961686f6f.636f6d.80h448ec50f.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195400028 ar mail.compunet2.com IN A 10800,192.168.0.1 209.200.151.4
1195400034 ar f.02000000.a.f.73756e7368696e656769726c.63616e6f65.6361.80hcffd6ae2.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195400102 ar w2k-ad2.teas.bessy.de IN A 1488,192.168.246.12 193.149.12.137
1195400102 ar w2k-ad1.teas.bessy.de IN A 1488,192.168.246.11 193.149.12.137
1195400108 ar f.21000000.a.f.637465.77656174686572.636f6d.80h3f6f1833.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195400122 ar f.1b000000.a.f.7339.61646474686973.636f6d.80hcdeaafaf.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195400124 ar f.1d000000.a.f.726f77.6263.7961686f6f.636f6d.80h448ee488.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195400138 an ns1.desksite.net IN A 1800,172.16.1.156 1800,216.174.119.9 216.174.119.8
1195400140 ar f.1b000000.a.f.70632d63696c6c696e2d74.616374697665757064617465.7472656e646d6963726f.636f6d.80h504357ae.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195400234 an ws1057.tm.cbsig.net IN A 3600,10.180.28.159 64.30.236.14
1195400281 an m.72m.cn IN A 150,192.168.0.101 218.107.216.68
1195400345 ar f.1d000000.a.f.6d7430.676f6f676c65.636f6d.80h480ecb5b.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195400345 ar f.1d000000.a.f.6d7431.676f6f676c65.636f6d.80h480ecb5b.webcfs00.com IN A 84600,10.0.15.201 204.212.170.105
1195400383 an primo1.primo.net IN A 3600,192.168.1.131 166.70.112.68
1195400383 an bitmixers1.primo.net IN A 3600,192.168.1.133 3600,192.168.1.135 3600,192.168.1.137 3600,192.168.1.141 3600,192.168.1.143 3600,192.168.1.144 3600,192.168.1.145 3600,192.168.1.146 3600,192.168.1.147 3600,192.168.1.149 3600,192.168.1.150 3600,192.168.1.151 3600,192.168.1.152 3600,192.168.1.153 166.70.112.68



More information about the dns-operations mailing list