What's going on here? Lots of PTR records for one address
Kenneth Porter
shiva at well.com
Thu Mar 22 01:49:05 UTC 2001
On Wed, 21 Mar 2001 12:19:40 +0100 (CET), Roy Arends wrote:
>Poisoned is a big word. No, their not poised, spoofed or hacked as far as
>I know.
Didn't mean to cause a panic. :-) Just thought the multiple PTR records
might be symptomatic of someone gaining unauthorized access and
polluting the zone. I'm already aware that multiple PTR's are valid but
not generally recognized by apps, and thus rarely used.
>They have a strange setup though. Parent lists 3 servers as
>authoritative for their child zone.
>
>consultnetinc.com.
>ns2.cl.bellsouth.net.
>ns3.cl.bellsouth.net.
>
>Only the first answers authoritative. The other 2 act probably as slaves.
>The master specified in the SOA points to an NS record. This NS record
>must mention a server that is authoritative for the zone, but the one
>specified (localhost.77.76.216.in-addr.arpa.) does not have an A record,
>nor matches it one of the servers in the parents delegation.
Yes, this NS record was what I was referring to as "bogus". As part of
my research I also checked versions on the 3 name servers and found one
running a vulnerable one, which is why I thought maybe it had been
breached.
On Wed, 21 Mar 2001 10:51:08 -0500, Nick Simicich wrote:
>If you want your answer on the list by the way, set reply-to to the list if
>the list does not do it.
Sorry, I've got a somewhat bone-headed mail client that doesn't let me
change identities per-message. Probably a misguided attempt to protect
the Greater Net from Yet Another Spammer. Adding dynamic identities is
on the to-do list for the developer.
On Wed, 21 Mar 2001 14:35:52 -0500, Kevin Darcy wrote:
>This is probably symptomatic of a simple-minded DNS maintenance system
Aha! That makes a lot of sense.
>Why do you say that the NS record is bogus? To which NS record are you referring?
See above. It's the localhost.77.76.216.in-addr.arpa I was referring
to.
BTW, the main thing that got me started on this was that I got 3 probes
yesterday to my sshd port from this address, claiming no identd
response, so I went reversing the address to see who was probing me and
found this name server mess. I let Bell South know about my findings.
Ken
mailto:shiva at well.com
http://www.sewingwitch.com/ken/
[If answering a mailing list posting, please don't cc me your reply. I'll take my answer on the list.]
More information about the bind-users
mailing list