Bizarre decimal number to in-addr-arpa mapping......

Brett_Frankenberger at NOTES.UP.COM Brett_Frankenberger at NOTES.UP.COM
Wed Jun 2 19:50:16 UTC 1999 


>I discovered that people on my network are getting around
>our web filtering by using decimal number URL's.
>Check this out:
>gunk:~$ nslookup 3489040081
>Server:  server.tt.net
>Address:  209.98.124.2
>
>Name:    teen-space.com
>Address:  207.246.134.209
>
>How the hell does 3489040081 resolve?
>I did a little looking and it seems to map somehow
>to an inaddr-arpa address......
>
>Anybody know what's going on here?

(45) elmo:rbf [/home/rbf] > nslookup
Default Server:  fi0.omhq1373.uprr.com
Address:  167.132.68.100

> set deb
> 3489040081
Server:  fi0.omhq1373.uprr.com
Address:  167.132.68.100

;; res_mkquery(0, 209.134.246.207.in-addr.arpa, 1, 12)
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 29564, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion
avail.
        questions = 1,  answers = 1,  authority records = 4,  additional =
4

    QUESTIONS:
        209.134.246.207.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  209.134.246.207.in-addr.arpa
        name = teen-space.com
        ttl = 3600 (1H)
    AUTHORITY RECORDS:
    ->  134.246.207.in-addr.arpa
        nameserver = ns1.flyingcroc.com
        ttl = 3600 (1H)
    ->  134.246.207.in-addr.arpa
        nameserver = ns2.flyingcroc.com
        ttl = 3600 (1H)
    ->  134.246.207.in-addr.arpa
        nameserver = ns3.flyingcroc.com
        ttl = 3600 (1H)
    ->  134.246.207.in-addr.arpa
        nameserver = ns4.flyingcroc.com
        ttl = 3600 (1H)
    ADDITIONAL RECORDS:
    ->  ns1.flyingcroc.com
        internet address = 204.157.104.2
        ttl = 3600 (1H)
    ->  ns2.flyingcroc.com
        internet address = 204.157.104.3
        ttl = 3600 (1H)
    ->  ns3.flyingcroc.com
        internet address = 204.157.104.4
        ttl = 3600 (1H)
    ->  ns4.flyingcroc.com
        internet address = 204.157.104.5
        ttl = 3600 (1H)

------------
Name:    teen-space.com
Address:  207.246.134.209

Looks to me like nslookup is treating 3489040081 as a 32bit number and
converting it to an IP address (3489040081=0xCFF686D1=207.246.134.209),
then converting that to an in-addr.arpa name (which is what nslookup
normally does when provided with an IP address)
(209.134.246.207.in-addr.arpa) and then asking the DNS to resolve that
name.  All the magic is in nslookup -- BIND (or whatever DNS server code is
being used) isn't doing anything special.  When the users try this numeric
URL from their browsers, DNS isn't involved -- the local resolver is
translating the number to an IP address and connecting to that address, all
without the help of DNS.  I tried this on NT and on Solaris 2.5.1 ... both
handled the number and translated it to 209.134.246.207.

More information about the bind-users mailing list