[dns-operations] 8.8.8.8 / 8.8.4.4 also being used as authoritative NSs?

Rod Rasmussen rod.rasmussen at internetidentity.com
Tue Mar 8 20:44:22 UTC 2011 

Yep, there are bunch of "nameserverish" hosts tied to those addresses like ns2.mailprosistema.com.ar for example.  We've seen various malware guys point their declared "secondary" DNS server hostnames (you need two to tango at most registries and they only have one active nameserver for their C&C domains) at IP addresses at the DOD and other such spaces.  This eems stupid, but they do it anyway, not sure why.  Those servers don't respond to the queries of course, and if people were aware of it they could sinkhole those hits.  Some of this could be related behavior.

There are also a ton of hostnames pointing at those addresses in their A records creating plenty of "extra" traffic for Google to deal with.  

There are several gems that have their the full Google hostnames listed as authoritative for them - here's a few - note that last one uses OpenDNS for an AUTH DNS server too!

dig ns ipem.es.gov.br

;; QUESTION SECTION:
;ipem.es.gov.br.			IN	NS

;; ANSWER SECTION:
ipem.es.gov.br.		3600	IN	NS	mustang.pop-es.rnp.br.
ipem.es.gov.br.		3600	IN	NS	ns.ipem.es.gov.br.
ipem.es.gov.br.		3600	IN	NS	google-public-dns-a.google.com.
ipem.es.gov.br.		3600	IN	NS	google-public-dns-b.google.com.
ipem.es.gov.br.		3600	IN	NS	wks01.rjo.embratel.net.br.
ipem.es.gov.br.		3600	IN	NS	fusca.pop-es.rnp.br.
ipem.es.gov.br.		3600	IN	NS	srvext.ipem.es.gov.br.

============

dig ns tupperwaregurgaon.co.cc

;; QUESTION SECTION:
;tupperwaregurgaon.co.cc.	IN	NS

;; ANSWER SECTION:
tupperwaregurgaon.co.cc. 3600	IN	NS	google-public-dns-b.google.com.
tupperwaregurgaon.co.cc. 3600	IN	NS	google-public-dns-a.google.com.

============

dig ns adsmart.com.cn

;; QUESTION SECTION:
;adsmart.com.cn.			IN	NS

;; ANSWER SECTION:
adsmart.com.cn.		3600	IN	NS	google-public-dns-b.google.com.
adsmart.com.cn.		3600	IN	NS	google-public-dns-a.google.com.
adsmart.com.cn.		3600	IN	NS	ns.xinnetdns.com.
adsmart.com.cn.		3600	IN	NS	dns-ch2.xinnet.com.
adsmart.com.cn.		3600	IN	NS	dns-ch.xinnet.com.
adsmart.com.cn.		3600	IN	NS	ns.xinnet.cn.
adsmart.com.cn.		3600	IN	NS	pearl.hknet.com.
adsmart.com.cn.		3600	IN	NS	dns.hinet.net.
adsmart.com.cn.		3600	IN	NS	resolver1.opendns.com.


Cheers,

Rod

Rod Rasmussen
President/CTO
IID -- Actively Securing the Extended Enterprise

On Mar 8, 2011, at 11:05 AM, Robert Edmonds wrote:

> Chris Thompson wrote:
>> For about a year we have been counting packets between our network and
>> 8.8.8.8 and 8.8.4.4 (public-dns-[ab].google.com]) on port 53, as we
>> wanted to see whether there was a significant uptake of Google DNS
>> locally.
>> 
>> In mid-January, there was a notable change: much larger numbers of local
>> addresses started showing very low numbers of such packets (1-5 per
>> day). I have now realised that this includes our own central
>> recursive nameservers. This could be explained by the Google
>> addresses being
>> used as official NSs for some (not heavily used) domain.
>> 
>> To save me arranging some packet capture, can anyone say whether this
>> is true? It is possible, of course, that the domain(s) in question
>> are nothing to do with Google qua se, as any black hat could point
>> his NSs at these addresses - but to achieve what?
> 
> yes, it's true.  here's a single example, also note the level3 address:
> 
>    ; <<>> DiG 9.7.2-P3 <<>> +norec @a.gtld-servers.net liteddos.com
>    ; (2 servers found)
>    ;; global options: +cmd
>    ;; Got answer:
>    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49079
>    ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
> 
>    ;; QUESTION SECTION:
>    ;liteddos.com.          IN  A
> 
>    ;; AUTHORITY SECTION:
>    liteddos.com.       172800  IN  NS  ns1.liteddos.com.
>    liteddos.com.       172800  IN  NS  ns2.liteddos.com.
>    liteddos.com.       172800  IN  NS  ns3.liteddos.com.
> 
>    ;; ADDITIONAL SECTION:
>    ns1.liteddos.com.   172800  IN  A   72.20.1.2
>    ns2.liteddos.com.   172800  IN  A   8.8.8.8
>    ns3.liteddos.com.   172800  IN  A   4.2.2.1
> 
>    ;; Query time: 33 msec
>    ;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
>    ;; WHEN: Tue Mar  8 14:04:48 2011
>    ;; MSG SIZE  rcvd: 132
> 
> -- 
> Robert Edmonds
> edmonds at isc.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list