[dns-operations] 8.8.8.8 / 8.8.4.4 also being used as authoritative NSs?
Rod Rasmussen
rod.rasmussen at internetidentity.com
Tue Mar 8 20:44:22 UTC 2011
Yep, there are bunch of "nameserverish" hosts tied to those addresses like ns2.mailprosistema.com.ar for example. We've seen various malware guys point their declared "secondary" DNS server hostnames (you need two to tango at most registries and they only have one active nameserver for their C&C domains) at IP addresses at the DOD and other such spaces. This eems stupid, but they do it anyway, not sure why. Those servers don't respond to the queries of course, and if people were aware of it they could sinkhole those hits. Some of this could be related behavior.
There are also a ton of hostnames pointing at those addresses in their A records creating plenty of "extra" traffic for Google to deal with.
There are several gems that have their the full Google hostnames listed as authoritative for them - here's a few - note that last one uses OpenDNS for an AUTH DNS server too!
dig ns ipem.es.gov.br
;; QUESTION SECTION:
;ipem.es.gov.br. IN NS
;; ANSWER SECTION:
ipem.es.gov.br. 3600 IN NS mustang.pop-es.rnp.br.
ipem.es.gov.br. 3600 IN NS ns.ipem.es.gov.br.
ipem.es.gov.br. 3600 IN NS google-public-dns-a.google.com.
ipem.es.gov.br. 3600 IN NS google-public-dns-b.google.com.
ipem.es.gov.br. 3600 IN NS wks01.rjo.embratel.net.br.
ipem.es.gov.br. 3600 IN NS fusca.pop-es.rnp.br.
ipem.es.gov.br. 3600 IN NS srvext.ipem.es.gov.br.
============
dig ns tupperwaregurgaon.co.cc
;; QUESTION SECTION:
;tupperwaregurgaon.co.cc. IN NS
;; ANSWER SECTION:
tupperwaregurgaon.co.cc. 3600 IN NS google-public-dns-b.google.com.
tupperwaregurgaon.co.cc. 3600 IN NS google-public-dns-a.google.com.
============
dig ns adsmart.com.cn
;; QUESTION SECTION:
;adsmart.com.cn. IN NS
;; ANSWER SECTION:
adsmart.com.cn. 3600 IN NS google-public-dns-b.google.com.
adsmart.com.cn. 3600 IN NS google-public-dns-a.google.com.
adsmart.com.cn. 3600 IN NS ns.xinnetdns.com.
adsmart.com.cn. 3600 IN NS dns-ch2.xinnet.com.
adsmart.com.cn. 3600 IN NS dns-ch.xinnet.com.
adsmart.com.cn. 3600 IN NS ns.xinnet.cn.
adsmart.com.cn. 3600 IN NS pearl.hknet.com.
adsmart.com.cn. 3600 IN NS dns.hinet.net.
adsmart.com.cn. 3600 IN NS resolver1.opendns.com.
Cheers,
Rod
Rod Rasmussen
President/CTO
IID -- Actively Securing the Extended Enterprise
On Mar 8, 2011, at 11:05 AM, Robert Edmonds wrote:
> Chris Thompson wrote:
>> For about a year we have been counting packets between our network and
>> 8.8.8.8 and 8.8.4.4 (public-dns-[ab].google.com]) on port 53, as we
>> wanted to see whether there was a significant uptake of Google DNS
>> locally.
>>
>> In mid-January, there was a notable change: much larger numbers of local
>> addresses started showing very low numbers of such packets (1-5 per
>> day). I have now realised that this includes our own central
>> recursive nameservers. This could be explained by the Google
>> addresses being
>> used as official NSs for some (not heavily used) domain.
>>
>> To save me arranging some packet capture, can anyone say whether this
>> is true? It is possible, of course, that the domain(s) in question
>> are nothing to do with Google qua se, as any black hat could point
>> his NSs at these addresses - but to achieve what?
>
> yes, it's true. here's a single example, also note the level3 address:
>
> ; <<>> DiG 9.7.2-P3 <<>> +norec @a.gtld-servers.net liteddos.com
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49079
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
>
> ;; QUESTION SECTION:
> ;liteddos.com. IN A
>
> ;; AUTHORITY SECTION:
> liteddos.com. 172800 IN NS ns1.liteddos.com.
> liteddos.com. 172800 IN NS ns2.liteddos.com.
> liteddos.com. 172800 IN NS ns3.liteddos.com.
>
> ;; ADDITIONAL SECTION:
> ns1.liteddos.com. 172800 IN A 72.20.1.2
> ns2.liteddos.com. 172800 IN A 8.8.8.8
> ns3.liteddos.com. 172800 IN A 4.2.2.1
>
> ;; Query time: 33 msec
> ;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
> ;; WHEN: Tue Mar 8 14:04:48 2011
> ;; MSG SIZE rcvd: 132
>
> --
> Robert Edmonds
> edmonds at isc.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list