[dns-operations] Is this a DNS pollution?
Dave Lawrence
tale at dd.org
Wed Jul 24 17:05:02 UTC 2024
Do the question in the subject, we really can't tell whether it was
"DNS pollution" or not. Maybe?
It's not what either the daum.net servers nor the resolver that you
used (208.67.222.222, Cisco's Umbrella as you mentioned) are currently
responding.
Currently they are responding with a CNAME for smtp. I didn't look
into imap.daum.net but the basic tools and inability to discern intent
are the same.
smtp.daum.net. 300 IN CNAME dmail-skadi-relay-zn9pju8w.kgns1.com.
The address record that target returns is:
dmail-skadi-relay-zn9pju8w.kgns1.com. 10 IN A 211.249.250.28
That address is currently showing in whois as held by Dreamline Co in
Korea, and the domain kgns1.com is held by Kakao Corp, the same as
daum.net, with both showing they apparently get services from
"Megazone Corp., dba HOSTING.KR" in Korea, likely affiliated with
Dreamline somehow.
The one of your original message, 157.240.8.41, was an IP allocated to
Facebook. It's reverse agrees with that:
41.8.240.157.in-addr.arpa. 3600 IN PTR cmon-checkout-edge-shv-01-syd2.facebook.com.
That's definitely a bit odd to me, but not immediately damning as
being nefarious. Was this all normal operations for daum? Was it
cache poisoning? Was it an operational error? We can't say. You'd
really have to talk to Kakao about it.
More information about the dns-operations
mailing list