[dns-operations] / also being used as authoritative NSs?

Robert Edmonds edmonds at isc.org
Tue Mar 8 19:05:52 UTC 2011

Chris Thompson wrote:
> For about a year we have been counting packets between our network and
> and (public-dns-[ab].google.com]) on port 53, as we
> wanted to see whether there was a significant uptake of Google DNS
> locally.
> In mid-January, there was a notable change: much larger numbers of local
> addresses started showing very low numbers of such packets (1-5 per
> day). I have now realised that this includes our own central
> recursive nameservers. This could be explained by the Google
> addresses being
> used as official NSs for some (not heavily used) domain.
> To save me arranging some packet capture, can anyone say whether this
> is true? It is possible, of course, that the domain(s) in question
> are nothing to do with Google qua se, as any black hat could point
> his NSs at these addresses - but to achieve what?

yes, it's true.  here's a single example, also note the level3 address:

    ; <<>> DiG 9.7.2-P3 <<>> +norec @a.gtld-servers.net liteddos.com
    ; (2 servers found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49079
    ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3

    ;liteddos.com.          IN  A

    liteddos.com.       172800  IN  NS  ns1.liteddos.com.
    liteddos.com.       172800  IN  NS  ns2.liteddos.com.
    liteddos.com.       172800  IN  NS  ns3.liteddos.com.

    ns1.liteddos.com.   172800  IN  A
    ns2.liteddos.com.   172800  IN  A
    ns3.liteddos.com.   172800  IN  A

    ;; Query time: 33 msec
    ;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
    ;; WHEN: Tue Mar  8 14:04:48 2011
    ;; MSG SIZE  rcvd: 132

Robert Edmonds
edmonds at isc.org

More information about the dns-operations mailing list