Interesting new dns failures

• Previous message (by thread): recommendations for Cisco repair?
• Next message (by thread): Interesting new dns failures
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

An odd pattern of DNS failures began appearing in the logs yesterday:

May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != ns5.uzmores.com)
May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != ns4.uzmores.com)
May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != ns3.uzmores.com)
May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != ns2.uzmores.com)
May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != ns13.uzmores.com)
...
May 20 11:10:00 PDT named[345]: wrong ans. name (loptran.com != ns8.loptran.com)
May 20 11:10:00 PDT named[345]: wrong ans. name (loptran.com != ns7.loptran.com)
May 20 11:10:00 PDT named[345]: wrong ans. name (loptran.com != ns6.loptran.com)
May 20 11:10:00 PDT named[345]: wrong ans. name (loptran.com != ns4.loptran.com)
May 20 11:10:00 PDT named[345]: wrong ans. name (loptran.com != ns2.loptran.com)
...
May 20 10:12:25 PDT named[345]: wrong ans. name (dsinlet.com != ns7.dsinlet.com)
May 20 10:12:25 PDT named[345]: wrong ans. name (dsinlet.com != ns5.dsinlet.com)
May 20 10:12:25 PDT named[345]: wrong ans. name (dsinlet.com != ns9.dsinlet.com)
May 20 10:12:25 PDT named[345]: wrong ans. name (dsinlet.com != ns12.dsinlet.com)
May 20 10:12:25 PDT named[345]: wrong ans. name (dsinlet.com != ns3.dsinlet.com)
...
  (All multiplied  by a factor of 10)

Very odd to see a dozen nameservers for several new and obscure
domains.  Does this look like a rat?

The apparently misconfigured domains are served by a single registrar,
estdomains.com.  (whois -h whois.estdomains.com
..., Registration Service Provided By: N/A, Contact:
+876.784848888).  Certainly smells like a rat.

Most of the individual nameservers do not answer queries, the ones
that do are open to recursion, and all are hosted in cable/dsl/dial-up
address space with correspondingly rfc-illegal reverse zones.  Running
'host -at ns' a few times shows the list of nameservers is rotated
every few seconds, and occasionally returns "server localhost".

Obviously a rat, but the pattern brings up a number of questions.  Are
these spoofed queries and replies?  If not, have any root nameservers
been hacked?  Do the queries exploit known named vulnerabilities?  What
ICANN policy might address this?  Finally, what, if anything, are DNS
admins doing about it?

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/

• Previous message (by thread): recommendations for Cisco repair?
• Next message (by thread): Interesting new dns failures
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]