[dns-operations] 8.8.8.8 / 8.8.4.4 also being used as authoritative NSs?
Robert Edmonds
edmonds at isc.org
Tue Mar 8 19:05:52 UTC 2011
Chris Thompson wrote:
> For about a year we have been counting packets between our network and
> 8.8.8.8 and 8.8.4.4 (public-dns-[ab].google.com]) on port 53, as we
> wanted to see whether there was a significant uptake of Google DNS
> locally.
>
> In mid-January, there was a notable change: much larger numbers of local
> addresses started showing very low numbers of such packets (1-5 per
> day). I have now realised that this includes our own central
> recursive nameservers. This could be explained by the Google
> addresses being
> used as official NSs for some (not heavily used) domain.
>
> To save me arranging some packet capture, can anyone say whether this
> is true? It is possible, of course, that the domain(s) in question
> are nothing to do with Google qua se, as any black hat could point
> his NSs at these addresses - but to achieve what?
yes, it's true. here's a single example, also note the level3 address:
; <<>> DiG 9.7.2-P3 <<>> +norec @a.gtld-servers.net liteddos.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49079
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION:
;liteddos.com. IN A
;; AUTHORITY SECTION:
liteddos.com. 172800 IN NS ns1.liteddos.com.
liteddos.com. 172800 IN NS ns2.liteddos.com.
liteddos.com. 172800 IN NS ns3.liteddos.com.
;; ADDITIONAL SECTION:
ns1.liteddos.com. 172800 IN A 72.20.1.2
ns2.liteddos.com. 172800 IN A 8.8.8.8
ns3.liteddos.com. 172800 IN A 4.2.2.1
;; Query time: 33 msec
;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
;; WHEN: Tue Mar 8 14:04:48 2011
;; MSG SIZE rcvd: 132
--
Robert Edmonds
edmonds at isc.org
More information about the dns-operations
mailing list