Bind 8.2.2-P5 picking up bogus .com NS list
Kevin Darcy
kcd at daimlerchrysler.com
Wed Aug 16 22:43:08 UTC 2000
Some moron configured their nameserver as master for "com", apparently, and you
picked up the bogus NS from an answer from that server. Older versions of
BIND were susceptible to this kind of cache poisoning. What version are you
running? Maybe it's time to upgrade...
- Kevin
Mark Suter wrote:
> Folks,
>
> I am one of the System Administrators at The University of
> Queensland. Yesterday evening, I noticed the following.
>
> ; <<>> DiG 2.2 <<>> @cuscus.cc.uq.edu.au com ns=20
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46126
> ;; flags: qr rd ra; Ques: 1, Ans: 1, Auth: 0, Addit: 1
> ;; QUESTIONS:
> ;; com, type =3D NS, class =3D IN
>
> ;; ANSWERS:
> com. 10427 NS myifriendsns1.webpower.com.
>
> ;; ADDITIONAL RECORDS:
> myifriendsns1.webpower.com. 85003 A 204.180.135.105
>
> ;; Total query time: 2 msec
> ;; FROM: cuscus.cc.uq.edu.au to SERVER: cuscus.cc.uq.edu.au 130.102.128.43
> ;; WHEN: Tue Aug 15 22:09:44 2000
> ;; MSG SIZE sent: 21 rcvd: 74
>
> Cuscus is configured to forward via dns0.optus.net.au; however,
> the Optus nameserver didn't have this bogus NS list when I
> checked. None of the four other nameservers at the University,
> similarly configured, has this bogus NS list. A quick check
> of the root nameservers and the *real* .com servers showed no
> problems.
>
> The bogus nameserver, myifriendsns1.webpower.com, is configured
> with a mostly-empty .com zone - I have included a zone transfer
> below. I though the .com zone was huge ;)
>
> This only caused us problems intermittently, due to our present
> forwarding arrangement. A "ndc restart" corrected the situation.
>
> Has anyone else had seen this before or have any ideas why it
> occurred?
>
> How do we prevent this occurring again?
>
> Yours sincerely,
>
> -- Mark John Suter | I know that you believe you understand
> suter at humbug.org.au | what you think I said, but I am not sure
> GPG key id F2FEBB36 | you realise that what you heard is not
> Ph: +61 4 1126 2316 | what I meant. anonymous
>
> ----------------------------- begin -----------------------------
> ; <<>> DiG 2.2 <<>> @myifriendsns1.webpower.com com axfr=20
> ; (1 server found)
> com. 86400 SOA webpower.com. postmaster.webpower.com. (
> 151 ; serial
> 10800 ; refresh (3 hours)
> 900 ; retry (15 mins)
> 604800 ; expire (7 days)
> 86400 ) ; minimum (1 day)
> com. 86400 NS myifriendsns1.webpower.com.
> com. 86400 A 204.180.135.105
> www.sisseys-sex-fetish.com. 10 A 204.180.135.105
> www.myluckylove.com. 10 A 204.180.135.105
> www.missangel.com. 10 A 204.180.135.105
> www.reyanasrealm.com. 10 A 204.180.135.105
> www.2lilnymphs.com. 10 A 204.180.135.105
> www.barbiwet.com. 10 A 204.180.135.105
> www.brettnichols.com. 10 A 204.180.135.105
> www.mzmahogany.com. 10 A 204.180.135.105
> sexylynn.com. 10 A 204.180.135.105
> www.ahotcoed21.com. 10 A 204.180.135.105
> www.hugetoyz.com. 10 A 204.180.135.105
> http://www.camatuers.com. 10 A 204.180.135.105
> www.girlyluv.com. 10 A 204.180.135.105
> www.sissey-sex-fetish.com. 10 A 204.180.135.105
> www.pleasure-units.com. 10 A 204.180.135.105
> www.hotcanadian.com. 10 A 204.180.135.105
> www.sweet4usxy.com. 10 A 204.180.135.105
> www.hottbabe.com. 10 A 204.180.135.105
> www.dinkydoggy.com. 10 A 204.180.135.105
> http://www.lauramarie.com. 10 A 204.180.135.105
> www.sinfuldesire.com. 10 A 204.180.135.105
> www.lisashothomepage.com. 10 A 204.180.135.105
> www.peytonzplace.com. 10 A 204.180.135.105
> www.teasercam.com. 10 A 204.180.135.105
> www.girlnextdoornude.com. 10 A 204.180.135.105
> www.torilive4uteasercam.com. 10 A 204.180.135.105
> www.mistressofthenight.com. 10 A 204.180.135.105
> www.fredy.com. 10 A 204.180.135.105
> ahotchicks-hardcore-sex.com. 10 A 204.180.135.105
> www.livelyluci.com. 10 A 204.180.135.105
> www.kalliex.com. 10 A 204.180.135.105
> www.debsdesires.com. 10 A 204.180.135.105
> www.iseekamateurs.com. 10 A 204.180.135.105
> www.tiffanyraw2000.com. 10 A 204.180.135.105
> www.buffnet.com. 10 A 204.180.135.105
> www.eva-live.com. 10 A 204.180.135.105
> www.natural38dds.com. 10 A 204.180.135.105
> www.niseyxxx.com. 10 A 204.180.135.105
> candy36ddd.com. 10 A 204.180.135.105
> ohsofine.com. 10 A 204.180.135.105
> www.ohsofine.com. 10 A 204.180.135.105
> tranzgirl.com. 10 A 204.180.135.105
> www.xxxtremefetish.com. 10 A 204.180.135.105
> www.alyxinwonderland.com. 10 A 204.180.135.105
> www.creole69.com. 10 A 204.180.135.105
> prodical.myfriends1.webpower.com. 10 A 204.180.135.105
> myifriendsdsns/.webpower.com. 10 A 204.180.135.105
> www.majorpornsites.com. 10 A 204.180.135.105
> www.latinass69.com. 10 A 204.180.135.105
> www.hothornyhousewife.com. 10 A 204.180.135.105
> www.erosrouge.com. 10 A 204.180.135.105
> yumyum34d.com. 10 A 204.180.135.105
> hypnofiles.com. 10 A 204.180.135.105
> http://sisseys-sex-fetish.com. 10 A 204.180.135.105
> www.maliahart.com. 10 A 204.180.135.105
> www.camholio.com. 10 A 204.180.135.105
> www.georgiachicks.com. 10 A 204.180.135.105
> www.foxymelody.com. 10 A 204.180.135.105
> www.hottiebody.com. 10 A 204.180.135.105
> www.neatspot.com. 10 A 204.180.135.105
> www.xxxjade79.com. 10 A 204.180.135.105
> www.hottani.com. 10 A 204.180.135.105
> www.jensex.com. 10 A 204.180.135.105
> studiocaliente.com. 10 A 204.180.135.105
> www.studiocaliente.com. 10 A 204.180.135.105
> www.sinloverxxx.com. 10 A 204.180.135.105
> www.ladybunny.com. 10 A 204.180.135.105
> www.freeballoonpix.com. 10 A 204.180.135.105
> www.sex24hrsaday.com. 10 A 204.180.135.105
> www.aussiereeta.com. 10 A 204.180.135.105
> www.gingerlixxx.com. 10 A 204.180.135.105
> www.cashmirliv.com. 10 A 204.180.135.105
> www.peytons-place.com. 10 A 204.180.135.105
> www.electricvelvet.com. 10 A 204.180.135.105
> com. 86400 SOA webpower.com. postmaster.webpower.com. (
> 151 ; serial
> 10800 ; refresh (3 hours)
> 900 ; retry (15 mins)
> 604800 ; expire (7 days)
> 86400 ) ; minimum (1 day)
> ;; Received 78 answers (78 records).
> ;; FROM: cuscus.cc.uq.edu.au to SERVER: 204.180.135.105
> ;; WHEN: Tue Aug 15 23:44:02 2000
> ----------------------------- end -----------------------------
>
> -- Attached file included as plaintext by Listar --
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.2 (GNU/Linux)
> Comment: Public key available from Keyservers or http://www.uq.edu.au/~suter/
>
> iD8DBQE5mgf37EsZXfL+uzYRAsdoAKCZjiR3ZfthZm8K5zp/4ly6+gEvfACeLgsl
> 1HJ74Cl7bAG6w+RHlPnHkd4=
> =gH6P
> -----END PGP SIGNATURE-----
More information about the bind-users
mailing list