[dns-operations] Is this a DNS pollution?

Jeff Pang jeff at simplemail.co.in
Wed Jul 24 22:34:00 UTC 2024 

On 2024-07-25 01:05, Dave Lawrence wrote:
> Do the question in the subject, we really can't tell whether it was
> "DNS pollution" or not.  Maybe?
> 
> It's not what either the daum.net servers nor the resolver that you
> used (208.67.222.222, Cisco's Umbrella as you mentioned) are currently
> responding.

Thanks for your answer. so who is responding me?

> 
> Currently they are responding with a CNAME for smtp.  I didn't look
> into imap.daum.net but the basic tools and inability to discern intent
> are the same.
> 
> smtp.daum.net. 300 IN CNAME dmail-skadi-relay-zn9pju8w.kgns1.com.
> 
> The address record that target returns is:
> 
> dmail-skadi-relay-zn9pju8w.kgns1.com. 10 IN A   211.249.250.28
> 
> That address is currently showing in whois as held by Dreamline Co in
> Korea, and the domain kgns1.com is held by Kakao Corp, the same as
> daum.net, with both showing they apparently get services from
> "Megazone Corp., dba HOSTING.KR" in Korea, likely affiliated with
> Dreamline somehow.
> 
> The one of your original message, 157.240.8.41, was an IP allocated to
> Facebook.  It's reverse agrees with that:
> 
> 41.8.240.157.in-addr.arpa. 3600 IN      PTR     
> cmon-checkout-edge-shv-01-syd2.facebook.com.
> 
> That's definitely a bit odd to me, but not immediately damning as
> being nefarious.  Was this all normal operations for daum?  Was it
> cache poisoning?  Was it an operational error? We can't say. You'd
> really have to talk to Kakao about it.

Here is the dig from my home pc (for this time. every time it seems 
changing).

$ dig +nocmd smtp.daum.net +noall +answer
smtp.daum.net.		177	IN	A	31.13.70.9
$ dig +nocmd imap.daum.net +noall +answer
imap.daum.net.		65	IN	A	199.96.59.95

And here is the dig from a remote VPS and the right results returned.

mx:~$ dig +nocmd smtp.daum.net +noall +answer
smtp.daum.net.		300	IN	CNAME	dmail-skadi-relay-zn9pju8w.kgns1.com.
dmail-skadi-relay-zn9pju8w.kgns1.com. 9	IN A	211.249.250.28

mx:~$ dig +nocmd imap.daum.net +noall +answer
imap.daum.net.		396	IN	A	203.217.227.162
imap.daum.net.		396	IN	A	113.29.187.15
imap.daum.net.		396	IN	A	113.29.187.16
imap.daum.net.		396	IN	A	203.217.227.161

So, I doubt my home DNS was hijacked.

-- 
regards,
Jeff Pang

More information about the dns-operations mailing list