[dns-operations] weird queries for mx1.mx2.mx1.mx2...

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Mar 31 09:25:38 UTC 2020 

On Tue, Mar 31, 2020 at 10:55:03AM +0200, Petr Špaček wrote:

> On 30. 03. 20 21:07, John Levine wrote:
> > In article <02fe7bae-fec6-f314-b189-4214b75cef60 at nic.cz> you write:
> >> This is query list for domain truckinsurancekentucky.com:
> >>
> >> mx1.mx1.mx1.mx1.mx1.mx2.mx1.mx2.mx1.mta-sts.mx1.mx1.mx2.mx2.mta-sts.mx1.mx1.truckinsurancekentucky.com. AAAA
> > 
> >> Domain truckinsurancekentucky.com is not the only one with this weird behavior. Does anyone have an idea what is causing this?
> > 
> > It sure looks like misconfigured mta-sts.
> > 
> > That domain is dead, got another live one we could look at and see how it's configured?  
> 
> These seem to be alive:
> 
> mx1.mx1.mx2.mx2.mx2.mx1.mx2.mx1.mta-sts.mx2.mx1.mx1.mx2.mx2.mx2.mx1.mx2.maxonsoftware.com. A
> 
> mx2.mx1.mx2.mx1.mx1.mx2.mta-sts.mx1.mx2.mx2.mx1.mx2.mx1.mx2.cineversityoneonone.net. A
> 
> mx2.mx1.mx1.mx1.mx2.mx2.mx2.mta-sts.mx1.mx2.mx1.mx1.mta-sts.mx2.mx2.mx2.effluentialtechnologies.net. A

The DNS for these domains is busted, the servers return NoError
responses, no answer, authority or additional records other than OPT...

The NS RRs in the parent zone are:

    maxonsoftware.com. IN NS ns1.mtalist.com.deleted-ns.pw.
    maxonsoftware.com. IN NS ns2.mtalist.com.deleted-ns.pw.

    cineversityoneonone.net. IN NS ns1.mtalist.com.deleted-ns.pw.
    cineversityoneonone.net. IN NS ns2.mtalist.com.deleted-ns.pw.

    effluentialtechnologies.net. IN NS ns1.mtalist.com.deleted-ns.pw.
    effluentialtechnologies.net. IN NS ns2.mtalist.com.deleted-ns.pw.

These are not "normal" domains.

    ns1.mtalist.com.deleted-ns.pw has address 109.234.109.85
    ns2.mtalist.com.deleted-ns.pw has address 109.234.109.85

    109.234.109.85  ns7.expirationwarning.net

Someone from key-systems may be able to shed more light on the setup:

    inetnum:        109.234.108.0 - 109.234.109.255
    netname:        KEY-SYSTEMS-GMBH
    descr:          Key-Systems GmbH
    descr:          Im Oberen Werk 1
    descr:          66386 St. Ingbert
    descr:          Germany
    country:        DE

Perhaps the odd setup is tickling some bug in an MTA-STS client, or a
research scan engine (not mine, I don't probe for MTA-STS).

-- 
    Viktor.

More information about the dns-operations mailing list