[dns-operations] DNS replies from AS 4808

Skull skull at bofhland.org
Wed Jun 3 08:43:03 UTC 2009


On Jun 3, 2009, at 9:06 AM, Alexander Mayrhofer wrote:

>> It seems like DNS replies from AS 4808 are being filtered.  DNS
>> queries for hostnames which contain some Web 2.0 related strings
>> return bogus results (A RR).  That can affect DNSBL results from
>> nameservers on that network.
>
> I'm sorry, but what are "Web 2.0 related strings"? Plus, do they  
> filter
> outbound, inbound, or both?


I'll try to explain what appears to be happening.

Apparently, some of the queries to SURBL mirrors appear to be  
hijacked during transit through Chinese address space.
So, queries to resources like "twitter.com.multi.surbl.org" that is  
expected to result in NXDOMAIN, behave this way when it goes toward,  
k5.surbl.org, located on China Unicom:

skull at logger:~$ host twitter.com.multi.surbl.org k5.surbl.org
Using domain server:
Name: k5.surbl.org
Address: 123.125.50.246#53
Aliases:

twitter.com.multi.surbl.org has address 209.145.54.50
;; Warning: Message parser reports malformed message packet.
;; Got bad packet: bad label type
88 bytes
22 16 85 80 00 01 00 01 00 00 00 00 07 74 77 69
74 74 65 72 03 63 6f 6d 05 6d 75 6c 74 69 05 73
75 72 62 6c 03 6f 72 67 00 00 0f 00 01 07 74 77
69 74 74 65 72 03 63 6f 6d 05 6d 75 6c 74 69 05
73 75 72 62 6c 03 6f 72 67 00 00 0f 00 01 00 01
51 80 00 04 04 24 42 b2

This has been observed causing FPs to DNSBL-like queries for SURBL  
users.

Or, at least, observed behaviours point to this explanation...

-- 
http://bofhskull.wordpress.com/




More information about the dns-operations mailing list