Charter DNS servers returning invalid IP addresses
Jason J. Gullickson
mr at jasongullickson.com
Wed Oct 25 19:16:06 UTC 2023
That does help Greg.
I've heard from a few other folks on the list that the domain is
considered suspicious by a few different providers like this. It's a
turnkey Squarespace gallery/ecommerce site so I'm not sure why it would
be classified as a threat, but perhaps a previous domain holder was
doing something that could have been and these reports are just
outdated?
- Jason
On 2023-10-25 1:41 pm, Greg Dickinson wrote:
> If it helps troubleshooting, when I click the domain in the email
> Mimecast tells me:
>
> "We checked the website you are trying to access for malicious and
> spear-phishing content and found it likely to be unsafe."
>
> Greg Dickinson, CCNA
>
> Network Engineer
>
> From: NANOG <nanog-bounces+greg.dickinson=bryantbank.com at nanog.org> On
> Behalf Of Mark Andrews
> Sent: Wednesday, October 25, 2023 1:27 PM
> To: Jason J. Gullickson <mr at jasongullickson.com>
> Cc: nanog at nanog.org
> Subject: Re: Charter DNS servers returning invalid IP addresses
>
> This Message originates from outside Bryant Bank. Please use caution
> when opening this correspondence, attachments or hyperlinks (URLs). If
> you have questions, please contact IT Support. Thank you.
>
> It's being filtered. Only Charter can tell you why.
>
> --
>
> Mark Andrews
>
>> On 26 Oct 2023, at 05:07, Jason J. Gullickson via NANOG
>> <nanog at nanog.org> wrote:
>
>> I've been working for a week or so to solve a problem with DNS
>> resolution for Charter customers for our domain bonesinjars.com [1].
>> I've reached-out to Charter directly but since I'm not a customer I
>> couldn't get any help from them. I was directed by a friend to this
>> list in hopes that there may be able to reach a Charter/Spectrum
>> engineer who might be able to explain and/or resolve this one.
>>
>> A dig against Google's DNS servers correctly returns 4 A records:
>>
>> dig bonesinjars.com [1] 8.8.8.8 [2]
>>
>> ; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> bonesinjars.com [1]
>> 8.8.8.8 [2]
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31383
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 65494
>> ;; QUESTION SECTION:
>> ;bonesinjars.com [1]. IN A
>>
>> ;; ANSWER SECTION:
>> bonesinjars.com [1]. 60 IN A 198.49.23.145 [3]
>> bonesinjars.com [1]. 60 IN A 198.185.159.145
>> [4]
>> bonesinjars.com [1]. 60 IN A 198.49.23.144 [5]
>> bonesinjars.com [1]. 60 IN A 198.185.159.144
>> [6]
>>
>> ;; Query time: 1039 msec
>> ;; SERVER: 127.0.0.53#53(127.0.0.53) [7] (UDP)
>> ;; WHEN: Mon Oct 23 10:26:32 CDT 2023
>> ;; MSG SIZE rcvd: 108
>>
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26879
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 65494
>> ;; QUESTION SECTION:
>> ;8.8.8.8 [2]. IN A
>>
>> ;; Query time: 35 msec
>> ;; SERVER: 127.0.0.53#53(127.0.0.53) [7] (UDP)
>> ;; WHEN: Mon Oct 23 10:26:32 CDT 2023
>> ;; MSG SIZE rcvd: 36
>>
>> Verizon, AT&T, Comcast and all other DNS servers we tested return the
>> same 4 A records. However the same dig against a Charter DNS
>> (24.196.64.53 [8]) returns only 127.0.0.54 [9]
>>
>> dig bonesinjars.com [1] 24.196.64.53 [8]
>>
>> ; <<>> DiG 9.16.1-Ubuntu <<>> bonesinjars.com [1] 24.196.64.53 [8]
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17691
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 65494
>> ;; QUESTION SECTION:
>> ;bonesinjars.com [1]. IN A
>>
>> ;; ANSWER SECTION:
>> bonesinjars.com [1]. 60 IN A 127.0.0.54 [9]
>>
>> ;; Query time: 55 msec
>> ;; SERVER: 127.0.0.53#53(127.0.0.53) [7]
>> ;; WHEN: Tue Oct 24 13:28:36 CDT 2023
>> ;; MSG SIZE rcvd: 60
>>
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4658
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 65494
>> ;; QUESTION SECTION:
>> ;24.196.64.53 [8]. IN A
>>
>> ;; ANSWER SECTION:
>> 24.196.64.53 [8]. 86400 IN A 24.196.64.53 [8]
>>
>> ;; Query time: 27 msec
>> ;; SERVER: 127.0.0.53#53(127.0.0.53) [7]
>> ;; WHEN: Tue Oct 24 13:28:36 CDT 2023
>> ;; MSG SIZE rcvd: 57
>>
>> Any help understanding and addressing this is greatly appreciated!
>>
>> Jason
>
> NOTICE: This electronic mail message and any files transmitted with it
> are intended exclusively for the individual or entity to which it is
> addressed. The message, together with any attachment, may contain
> confidential and/or privileged information. Any unauthorized review,
> use, print, save, copy, disclosure or distribution is strictly
> prohibited. If you have received this message in error, please
> immediately advise the sender by reply email and delete copies. Thank
> you.
Links:
------
[1]
https://secure-web.cisco.com/1QYzTVngb5oZ1KLAZyMPvb_h9plEnlxSg987WNlsBgaLug2z-wCDx1wrGIgQQEYsHUdgOcjhswf6mSTPbxkpx_PSBYcpJqL3ro-v_aACZlNSMkqb3exaatMssNXfmJgrveUz-UxuXL2M6AawZ3YEd2vM7Kn-1B-sSpAmZc-6V7EyX6S7ooOf7RD6nlw33qjyxRPUak-lV6-AnanVZZWHYe0Ijj2I8HL4AXQguBAmbNk0MbHeyA8Ga1AuXMgXyQit9G2GXOjM0MvxVStf6Mv8skAFEdXbUFd_oPIdEKAMTJTlEuw2TG-foZB4ZVBC4mckU/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2FSJmKC8XrW7CjJ2MFn0cqx%3Fdomain%3Dbonesinjars.com
[2]
https://secure-web.cisco.com/1imxdVmCYKyqq5wulvqemEVFHic8KD5Xk1Q4EqDP-l4FLBVdWJDIOSKp41SSdsFISBJV1TPTQY179COdaURZsSkdbtkyBBd44NKV3A0JKV3nzk3_LnalsOhuow7MuiyMbecMAup_h6gGYQ4SOepC2sVtx0EZqiF9AQ5wSSa_LXF_9b5yF7LShmlxRpl1VJAFF3lgjvglh119EKQGIlesw0u9fm6-P0xxB3-KWORmNACLchQhN4VOX4fAZrs0JD8uwyA61yG4PnOfBkCXk_vhDRTDWMd0ImD5Yq0jq0PIfmYKq9xjitIMY22qJtE1rSgAr/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2FBzURC93vG7smZlKfEbQ7C%3Fdomain%3D8.8.8.8
[3]
https://secure-web.cisco.com/1QeSRq_up-pqhHIDl6xF_GqRzLweZJXtuPVjonTJoPahw1QlkpOrVB8YIHlYjNNDOCI4OBkPM-SvRKLvMALQ5_dz44XUtxiLiofA9CXx6d1wodHFpc6AnxdaSeJOZx7mAb-_rkGKan8YM2P0y7k_U4Mz5qf9CKuXi_PaAWlKcoVvds50HiNKqYDV_FB418o77CzHZuKAuNvs8Mmxs8WDai5fC-gwdeBDcLD0SL86Br932u8IJRH-841O2eUDO470EfM-0dsPH1MWiQ0KJW5yMhgW3P34mf1eAvh-2cgaDQTzZA74Lkm-6Tzc8oZtY5p2M/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2Fx_RWC0AjEyt2E7Wf2GpkC%3Fdomain%3D198.49.23.145
[4]
https://secure-web.cisco.com/1O5fWfiQWb4UoojSFAKsG6sZg-r7ZoEBLPCb-nUjBFPD_pxRVOi8oMmCRW-Mfcz9eSl76mY5nxexbCbHEJxOZvBJdlGhyxITjNRyVwiUsKZmfQKmrj4_HVkftE8bLQ5-XGKIAAIQ-wZsERIw0xspD1uLkvZFTA0NyDUlJSn1MBUs4VQFz0ukRM6IMkmAyYPjKXSa2gGSZLQzI524esQl_DlmJqxzpdC9ZYxHCjdeM50AFZqw7DBzzkeP_pLYbfhHRbuOWZZdxBP8F2ODIOCZznN3fV3F6pY9kc8I-LWi4BBv-_wiRqTAlvOADiCI5wJ7B/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2F8h5WCg7W8VUlgoWt3OlY4%3Fdomain%3D198.185.159.145
[5]
https://secure-web.cisco.com/1Gksy1SWwjLAq6x2FUfJ0MAAMBhgV-1-7Zc08k_Cg-Z8MCVm7dbTMrlPLD-TQlaWePQOE7GbeTaTraAeiJCc0d4iu33sZj9mL84SiBCIe8q2me5c3yyVFo7yPWu-dLXsPQHD4OgVp7ng69L5TVvKkDhbD6wqk7kHAPv5qlkXEUptlKY0v1HShhevQ7lKgaPCj2rWW4Q-7Qqg8UM0lK9kWT-YWh98oCXOXBiTDHcqisVo9PMIqBFWgt4bCM8NgzzlhU9OiGZ8AXEYmhGO1y8VT_xjBGkoB7UffPWRP2LLewWwJWp7ThPNOC3r9Frl2aeDG/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2F9hSMCjAW5Vtj6BJF1fcXc%3Fdomain%3D198.49.23.144
[6]
https://secure-web.cisco.com/1Vr7XwiMhFeLf9cMeTNX15HD8WHYJL270KD2MioSlgRG1OZOTdHztceZS105N0_tgssZ8_mT0KbAZmCjzFztSvClt49arHyaj_dR_uRaCDMbO2_JFF9kUU38SacbWlgJCOGv0A6XZv5WFrKwXAJOfyBbPAwuaSqPxJ_zi3bGpeXbNN5C67tArrBmUxBPI-M5igsmueF5dScQYJnPi906IXIKD-wPHhlDvp4ig06GAosRHtSBm_vA4nb_Wy4dzih_hcQQrhSCAOI37Kmf5ybVjmVOBjMIPEZRukzd06KsDopfCBQ0JOY7N56dWc5ChjRlX/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2FXcRmCk6WBVinLK0s8VH6O%3Fdomain%3D198.185.159.144
[7]
https://secure-web.cisco.com/1oHf3Mm9qxwW_PH8S4pY1BmQR998AjECHdJ2k33Ke6Rw8OcQ1cnLtUG3Rh7_IZGrOStkwz_f9VeOOtZRLD81WxqmbutZu-3YfjCyvlSfRZ9t8K9yKoMSBY4teD1ch1oyg4pRf9NCTVGeUaXblF7EnqpSi2eDXbJwpDEy6diF1quyWUiAbBd8fsIK5uQpWvA7lcoHrgaE0osMAvqfUHwWF-ZkT8h0xgFNhXkAOWtIAo7n8D1YfkE4I_mSpZIspC4oiijILP15PzjChrZkfJhLwEMgj8swiPbxexelmdJ_9aAx3XVU-659YjPXKGSQfTfMj/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2FPCwtCl8WXVfo9VKSV4pXj%3Fdomain%3D127.0.0.53
[8]
https://secure-web.cisco.com/1MWCKSLA6JNuYXb1c5Hf_dGEOanOe-z4Ba3wu58c8y7ovolaWkmwgvw1y9VINW7E-iYrioRIunmH6rcdi1nR4jAaJxKhhVY3K2-iJohl16QTQxP6-bQZ9gUaKK1BKqhHU3xa7PuPKH9fV1_-Xt0utZMnJBId5JNn41g-ReHQbQoUubYws92XudwEvClcRLPPrTu3n45B9PktjiHUzSV4vUo0B3SDfIY2PhXbxESWX9a4b7pLE9UNg3I6ioAMjtRhEJCLo3Qb50WzzWx8rZrb3g0z3a6pbD6bFPGsHj1tMsqL8zX4GMjDVpsCTvuHt3Wgd/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2FCTLTCm7W8VU50gYi3olZq%3Fdomain%3D24.196.64.53
[9]
https://secure-web.cisco.com/1fh0FafrN8nhI9wEWZaByw3sg2sf9Kz5Vk5p1BkCmxRU0aH9nIP51uLT6nXBLl1eyTKVKJ0ChA32iQrcFPxySd9YaQhCef4LLlwHJNmnpEBLJmcdirIsMRcrjRpvdz4Ow0CWpwXX-IS_k0xC3NYU7wqVTCpd6x7xOUh3VLNqSRLsLh3KtenzYnclWWghbPuv4LdXQrw4TWQYywXzorXtnydTAvmJilo-OkuCFD7Vdu-j19hEcGFviQpjNUIoHSkeCzEWNjg_cAD_UtmfpzigPZNpNdiegWHssQkSoSkFIOnMHrqiQAQRyz54FBSTKWcCv/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2F7qHPCnGW7VTGyPLCvdGr6%3Fdomain%3D127.0.0.54
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20231025/08a73067/attachment.html>
More information about the NANOG
mailing list