[dns-operations] ziyouforever.com

John Kristoff jtk at cymru.com
Fri Jun 12 19:58:32 UTC 2009 

Hi folks,

I stumbled upon some odd looking queries and answers related to the
ziyouforever.com zone.  For posterity and archival purposes I thought
I'd post something about it, since there doesn't seem to be much info
available publicly.

I was seeing queries and answers that looked like this:

  ;; QUESTION SECTION:
  ;daca6aaf6b08238025245bb0974d8fbb6a57a368.1.ziyouforever.com. IN        A

  ;; ANSWER SECTION:
  daca6aaf6b08238025245bb0974d8fbb6a57a368.1.ziyouforever.com. 300 IN A 131.44.71.105
  daca6aaf6b08238025245bb0974d8fbb6a57a368.1.ziyouforever.com. 300 IN A 142.124.253.105
  daca6aaf6b08238025245bb0974d8fbb6a57a368.1.ziyouforever.com. 300 IN A 156.207.116.54
  daca6aaf6b08238025245bb0974d8fbb6a57a368.1.ziyouforever.com. 300 IN A 189.190.144.48
  daca6aaf6b08238025245bb0974d8fbb6a57a368.1.ziyouforever.com. 300 IN A 223.52.197.5
  daca6aaf6b08238025245bb0974d8fbb6a57a368.1.ziyouforever.com. 300 IN A 11.194.78.17
  daca6aaf6b08238025245bb0974d8fbb6a57a368.1.ziyouforever.com. 300 IN A 80.228.214.180
  daca6aaf6b08238025245bb0974d8fbb6a57a368.1.ziyouforever.com. 300 IN A 83.54.212.117

A queries with qnames that have a most specific label that looks like a
SHA-1 like hash under a subdomain in the zone were receiving answers
containing addresses from all over the address space.  Its almost looks
like fast flux, and well, I don't need to elaborate and educate any bad
guys, but it stood out like a sore thumb for the work I was doing.

Thanks to a colleague, Toni @ F-secure, this is apparently related to
software signed by Dynamic Internet Technologies, Inc.  Its not clear
what the qnames or answers mean, but it could be some sort of id or
tracking mechanism.

The authoritative name server (all point to the same address) won't
answer just any query, even within the zone it supposed to be
authoritative for.

Another name that is apparently related is ziyoulonglive.com and the
authoritative servers ns[1-5].no-ip.com are providing stable answers
for me currently, but the answers here are odd too.  A couple in the
multicast block (class D) for example.  This name can be found on some
DNS black lists.

If nothing else,I know Roy enjoys these sorts of oddities.  :-)

John

More information about the dns-operations mailing list