Bind 8.2.2-P5 picking up bogus .com NS list

Kevin Darcy kcd at daimlerchrysler.com
Wed Aug 16 22:43:08 UTC 2000 

Some moron configured their nameserver as master for "com", apparently, and you
picked up the bogus NS from an answer from that server. Older versions of
BIND were susceptible to this kind of cache poisoning. What version are you
running? Maybe it's time to upgrade...


- Kevin
Mark Suter wrote:

> Folks,
>
> I am one of the System Administrators at The University of
> Queensland.  Yesterday evening, I noticed the following.
>
>     ; <<>> DiG 2.2 <<>> @cuscus.cc.uq.edu.au com ns=20
>     ;; res options: init recurs defnam dnsrch
>     ;; got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46126
>     ;; flags: qr rd ra; Ques: 1, Ans: 1, Auth: 0, Addit: 1
>     ;; QUESTIONS:
>     ;;      com, type =3D NS, class =3D IN
>
>     ;; ANSWERS:
>     com.    10427   NS      myifriendsns1.webpower.com.
>
>     ;; ADDITIONAL RECORDS:
>     myifriendsns1.webpower.com.     85003   A       204.180.135.105
>
>     ;; Total query time: 2 msec
>     ;; FROM: cuscus.cc.uq.edu.au to SERVER: cuscus.cc.uq.edu.au  130.102.128.43
>     ;; WHEN: Tue Aug 15 22:09:44 2000
>     ;; MSG SIZE  sent: 21  rcvd: 74
>
> Cuscus is configured to forward via dns0.optus.net.au; however,
> the Optus nameserver didn't have this bogus NS list when I
> checked.  None of the four other nameservers at the University,
> similarly configured, has this bogus NS list.  A quick check
> of the root nameservers and the *real* .com servers showed no
> problems.
>
> The bogus nameserver, myifriendsns1.webpower.com, is configured
> with a mostly-empty .com zone - I have included a zone transfer
> below.  I though the .com zone was huge ;)
>
> This only caused us problems intermittently, due to our present
> forwarding arrangement.  A "ndc restart" corrected the situation.
>
> Has anyone else had seen this before or have any ideas why it
> occurred?
>
> How do we prevent this occurring again?
>
> Yours sincerely,
>
> -- Mark John Suter  | I know that you  believe  you understand
> suter at humbug.org.au | what you think I said, but I am not sure
> GPG key id F2FEBB36 | you realise that what you  heard  is not
> Ph: +61 4 1126 2316 | what I meant.                  anonymous
>
> ----------------------------- begin -----------------------------
> ; <<>> DiG 2.2 <<>> @myifriendsns1.webpower.com com axfr=20
> ; (1 server found)
> com.    86400   SOA     webpower.com. postmaster.webpower.com. (
>                         151     ; serial
>                         10800   ; refresh (3 hours)
>                         900     ; retry (15 mins)
>                         604800  ; expire (7 days)
>                         86400 ) ; minimum (1 day)
> com.    86400   NS      myifriendsns1.webpower.com.
> com.    86400   A       204.180.135.105
> www.sisseys-sex-fetish.com.     10      A       204.180.135.105
> www.myluckylove.com.    10      A       204.180.135.105
> www.missangel.com.      10      A       204.180.135.105
> www.reyanasrealm.com.   10      A       204.180.135.105
> www.2lilnymphs.com.     10      A       204.180.135.105
> www.barbiwet.com.       10      A       204.180.135.105
> www.brettnichols.com.   10      A       204.180.135.105
> www.mzmahogany.com.     10      A       204.180.135.105
> sexylynn.com.   10      A       204.180.135.105
> www.ahotcoed21.com.     10      A       204.180.135.105
> www.hugetoyz.com.       10      A       204.180.135.105
> http://www.camatuers.com.       10      A       204.180.135.105
> www.girlyluv.com.       10      A       204.180.135.105
> www.sissey-sex-fetish.com.      10      A       204.180.135.105
> www.pleasure-units.com. 10      A       204.180.135.105
> www.hotcanadian.com.    10      A       204.180.135.105
> www.sweet4usxy.com.     10      A       204.180.135.105
> www.hottbabe.com.       10      A       204.180.135.105
> www.dinkydoggy.com.     10      A       204.180.135.105
> http://www.lauramarie.com.      10      A       204.180.135.105
> www.sinfuldesire.com.   10      A       204.180.135.105
> www.lisashothomepage.com.       10      A       204.180.135.105
> www.peytonzplace.com.   10      A       204.180.135.105
> www.teasercam.com.      10      A       204.180.135.105
> www.girlnextdoornude.com.       10      A       204.180.135.105
> www.torilive4uteasercam.com.    10      A       204.180.135.105
> www.mistressofthenight.com.     10      A       204.180.135.105
> www.fredy.com.  10      A       204.180.135.105
> ahotchicks-hardcore-sex.com.    10      A       204.180.135.105
> www.livelyluci.com.     10      A       204.180.135.105
> www.kalliex.com.        10      A       204.180.135.105
> www.debsdesires.com.    10      A       204.180.135.105
> www.iseekamateurs.com.  10      A       204.180.135.105
> www.tiffanyraw2000.com. 10      A       204.180.135.105
> www.buffnet.com.        10      A       204.180.135.105
> www.eva-live.com.       10      A       204.180.135.105
> www.natural38dds.com.   10      A       204.180.135.105
> www.niseyxxx.com.       10      A       204.180.135.105
> candy36ddd.com. 10      A       204.180.135.105
> ohsofine.com.   10      A       204.180.135.105
> www.ohsofine.com.       10      A       204.180.135.105
> tranzgirl.com.  10      A       204.180.135.105
> www.xxxtremefetish.com. 10      A       204.180.135.105
> www.alyxinwonderland.com.       10      A       204.180.135.105
> www.creole69.com.       10      A       204.180.135.105
> prodical.myfriends1.webpower.com.       10      A       204.180.135.105
> myifriendsdsns/.webpower.com.   10      A       204.180.135.105
> www.majorpornsites.com. 10      A       204.180.135.105
> www.latinass69.com.     10      A       204.180.135.105
> www.hothornyhousewife.com.      10      A       204.180.135.105
> www.erosrouge.com.      10      A       204.180.135.105
> yumyum34d.com.  10      A       204.180.135.105
> hypnofiles.com. 10      A       204.180.135.105
> http://sisseys-sex-fetish.com.  10      A       204.180.135.105
> www.maliahart.com.      10      A       204.180.135.105
> www.camholio.com.       10      A       204.180.135.105
> www.georgiachicks.com.  10      A       204.180.135.105
> www.foxymelody.com.     10      A       204.180.135.105
> www.hottiebody.com.     10      A       204.180.135.105
> www.neatspot.com.       10      A       204.180.135.105
> www.xxxjade79.com.      10      A       204.180.135.105
> www.hottani.com.        10      A       204.180.135.105
> www.jensex.com. 10      A       204.180.135.105
> studiocaliente.com.     10      A       204.180.135.105
> www.studiocaliente.com. 10      A       204.180.135.105
> www.sinloverxxx.com.    10      A       204.180.135.105
> www.ladybunny.com.      10      A       204.180.135.105
> www.freeballoonpix.com. 10      A       204.180.135.105
> www.sex24hrsaday.com.   10      A       204.180.135.105
> www.aussiereeta.com.    10      A       204.180.135.105
> www.gingerlixxx.com.    10      A       204.180.135.105
> www.cashmirliv.com.     10      A       204.180.135.105
> www.peytons-place.com.  10      A       204.180.135.105
> www.electricvelvet.com. 10      A       204.180.135.105
> com.    86400   SOA     webpower.com. postmaster.webpower.com. (
>                         151     ; serial
>                         10800   ; refresh (3 hours)
>                         900     ; retry (15 mins)
>                         604800  ; expire (7 days)
>                         86400 ) ; minimum (1 day)
> ;; Received 78 answers (78 records).
> ;; FROM: cuscus.cc.uq.edu.au to SERVER: 204.180.135.105
> ;; WHEN: Tue Aug 15 23:44:02 2000
> -----------------------------  end  -----------------------------
>
> -- Attached file included as plaintext by Listar --
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.2 (GNU/Linux)
> Comment: Public key available from Keyservers or http://www.uq.edu.au/~suter/
>
> iD8DBQE5mgf37EsZXfL+uzYRAsdoAKCZjiR3ZfthZm8K5zp/4ly6+gEvfACeLgsl
> 1HJ74Cl7bAG6w+RHlPnHkd4=
> =gH6P
> -----END PGP SIGNATURE-----

More information about the bind-users mailing list