[dns-operations] Typo in fox.com and an Akamai squatter

TOURNAT Guillaume gtournat at tibco.fr
Sat Jan 30 09:25:56 UTC 2016


If NS record was stolen, so do MX record...

--
Guillaume Tournat
Consultant Tibco Services

Le 30 janv. 2016 à 04:47, Suresh, Sairam <ssairam at amazon.com<mailto:ssairam at amazon.com>> a écrit :

Chris, try fnghelpdesk at fox.com<mailto:fnghelpdesk at fox.com> - they'll escalate to the right person.

-----Original Message-----
From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On Behalf Of Chris Adams
Sent: Friday, January 29, 2016 2:17 PM
To: dns-operations at dns-oarc.net<mailto:dns-operations at dns-oarc.net>
Subject: [dns-operations] Typo in fox.com<http://fox.com> and an Akamai squatter

One of my customers for which I manage recursive DNS servers ran into a
problem: fox.com<http://fox.com> was resolving to 185.45.13.88 for their customers (which appears to be serving malware).

Digging into the cache, it appears the problem is a typo in the NS records for fox.com<http://fox.com>:

$ dig +short fox.com<http://fox.com> ns
;; Truncated, retrying in TCP mode.
a23-73-133-237.deploy.static.akamaitechnologies.com<http://a23-73-133-237.deploy.static.akamaitechnologies.com>.
a72-247-151-10.deploy.akamaitechnologies.com<http://a72-247-151-10.deploy.akamaitechnologies.com>.
a72-247-45-157.deploy.akamaitechnologies.com<http://a72-247-45-157.deploy.akamaitechnologies.com>.
a72-246-0-10.deploy.akamaitechnologies.com<http://a72-246-0-10.deploy.akamaitechnologies.com>.
a23-73-134-237.deploy.static.akamaitechnologies.com<http://a23-73-134-237.deploy.static.akamaitechnologies.com>.
a72-247-45-25.deploy.akamaitechnologies.com<http://a72-247-45-25.deploy.akamaitechnologies.com>.
a72-247-45-110.deploy.akamaitechnologies.co<http://a72-247-45-110.deploy.akamaitechnologies.co>.
a72-246-192-168.deploy.akamaitechnologies.com<http://a72-246-192-168.deploy.akamaitechnologies.com>.
a23-73-133-141.deploy.static.akamaitechnologies.com<http://a23-73-133-141.deploy.static.akamaitechnologies.com>.
zl1-east.akamai.com<http://zl1-east.akamai.com>.
a60-254-128-45.deploy.akamaitechnologies.com<http://a60-254-128-45.deploy.akamaitechnologies.com>.
zl1-west.akamai.com<http://zl1-west.akamai.com>.
a23-73-134-141.deploy.static.akamaitechnologies.com<http://a23-73-134-141.deploy.static.akamaitechnologies.com>.
a72-247-45-65.deploy.akamaitechnologies.com<http://a72-247-45-65.deploy.akamaitechnologies.com>.
fw01.cmbrmaks.akamai.com<http://fw01.cmbrmaks.akamai.com>.
a193-108-152-143.deploy.akamaitechnologies.com<http://a193-108-152-143.deploy.akamaitechnologies.com>.

Note that they are all "akamai.com<http://akamai.com>." or "akamaitechnologies.com<http://akamaitechnologies.com>.", except for one that is "akamaitechnologies.co<http://akamaitechnologies.co>." (.co not .coM).
a72-247-45-110.deploy.akamaitechnologies.co<http://a72-247-45-110.deploy.akamaitechnologies.co>. resolves to the bogus IP (with a link-local AAAA record), so I am guessing that the akamaitechnologies.co<http://akamaitechnologies.co> domain is a squatter (wonder how many other domains have such typos).

Anybody have a contact at fox.com<http://fox.com> and/or Akamai?
--
Chris Adams <cma at cmadams.net<mailto:cma at cmadams.net>>
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net<mailto:dns-operations at lists.dns-oarc.net>
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net<mailto:dns-operations at lists.dns-oarc.net>
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160130/7aa88bd7/attachment.html>


More information about the dns-operations mailing list