Bizarre decimal number to in-addr-arpa mapping......
Brett_Frankenberger at NOTES.UP.COM
Brett_Frankenberger at NOTES.UP.COM
Wed Jun 2 19:50:16 UTC 1999
>I discovered that people on my network are getting around
>our web filtering by using decimal number URL's.
>Check this out:
>gunk:~$ nslookup 3489040081
>Server: server.tt.net
>Address: 209.98.124.2
>
>Name: teen-space.com
>Address: 207.246.134.209
>
>How the hell does 3489040081 resolve?
>I did a little looking and it seems to map somehow
>to an inaddr-arpa address......
>
>Anybody know what's going on here?
(45) elmo:rbf [/home/rbf] > nslookup
Default Server: fi0.omhq1373.uprr.com
Address: 167.132.68.100
> set deb
> 3489040081
Server: fi0.omhq1373.uprr.com
Address: 167.132.68.100
;; res_mkquery(0, 209.134.246.207.in-addr.arpa, 1, 12)
------------
Got answer:
HEADER:
opcode = QUERY, id = 29564, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion
avail.
questions = 1, answers = 1, authority records = 4, additional =
4
QUESTIONS:
209.134.246.207.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 209.134.246.207.in-addr.arpa
name = teen-space.com
ttl = 3600 (1H)
AUTHORITY RECORDS:
-> 134.246.207.in-addr.arpa
nameserver = ns1.flyingcroc.com
ttl = 3600 (1H)
-> 134.246.207.in-addr.arpa
nameserver = ns2.flyingcroc.com
ttl = 3600 (1H)
-> 134.246.207.in-addr.arpa
nameserver = ns3.flyingcroc.com
ttl = 3600 (1H)
-> 134.246.207.in-addr.arpa
nameserver = ns4.flyingcroc.com
ttl = 3600 (1H)
ADDITIONAL RECORDS:
-> ns1.flyingcroc.com
internet address = 204.157.104.2
ttl = 3600 (1H)
-> ns2.flyingcroc.com
internet address = 204.157.104.3
ttl = 3600 (1H)
-> ns3.flyingcroc.com
internet address = 204.157.104.4
ttl = 3600 (1H)
-> ns4.flyingcroc.com
internet address = 204.157.104.5
ttl = 3600 (1H)
------------
Name: teen-space.com
Address: 207.246.134.209
Looks to me like nslookup is treating 3489040081 as a 32bit number and
converting it to an IP address (3489040081=0xCFF686D1=207.246.134.209),
then converting that to an in-addr.arpa name (which is what nslookup
normally does when provided with an IP address)
(209.134.246.207.in-addr.arpa) and then asking the DNS to resolve that
name. All the magic is in nslookup -- BIND (or whatever DNS server code is
being used) isn't doing anything special. When the users try this numeric
URL from their browsers, DNS isn't involved -- the local resolver is
translating the number to an IP address and connecting to that address, all
without the help of DNS. I tried this on NT and on Solaris 2.5.1 ... both
handled the number and translated it to 209.134.246.207.
More information about the bind-users
mailing list