[dns-operations] Sophidea .info names odd behavior

John Kristoff jtk at cymru.com
Sun Jan 3 09:24:12 UTC 2010 

Hi folks,

Another oddity popped up recently and I don't have the motivation to
fully investigate this, but for posterity sake in case any goes
searching the net for it (like me again in the future), I thought I'd
put something out here.

A few names, such as bqyy.info and gcougle.info appear to be involved
in providing some sort of odd service.  My guess is another DNS-based
tunneling service, but I've not done an exhaustive investigation to
determine for sure.

From what I've seen the trail of this stuff might begin with a handful
of ns1 and ns2 labeled name servers in the .info zone, registered
through GoDaddy in second half of 2009 using a privacy service with
glue records pointing to:

  65.49.2.10
  65.49.2.11
  65.49.2.12
  65.49.2.13
  65.49.2.14
  65.49.2.15
  65.49.2.16
  65.49.2.17
  65.49.2.18
  65.49.2.21
  65.49.2.22
  65.49.2.23
  65.49.2.24
  65.49.2.26
  65.49.2.27
  65.49.14.10
  65.49.14.11
  65.49.14.12
  65.49.14.13

If you ask those name servers what the authoritative name server for
the domain name is you'll get something quite different.  You'll get a
set of 3 A RRs with a 60 second TTL to seemingly random IP addresses,
but the first octet in each set is always the same /8.

Asking an A query for what appears to be specially formatted hostnames
in the zone returns a similar response, but in this case a set of 4 IP
addresses where the first octet is in the same /8 for each set.  The
format of the name to solicit this response appears to be:

  [4_chars].[8_chars].[SLD].info

Service for those addresses is currently being provided by HE and is
SWIP'd to an organization called Sophidea Inc in Cheyenne, WY,
apparently headed by a Gerarld Pitts who heads a number of other groups
at that street address.  With some digging there are a few
suspicious cases of Internet activity emanating from affiliated
organizations in the past, but its tough to say this is nefarious by
association from what I've seen.

If anyone cares to dig or knows more I'd appreciate a follow up to
satisfy my curiosity.

John

More information about the dns-operations mailing list