expedia.msn.com does not resolve

Brad Knowles brad.knowles at skynet.be
Wed Aug 15 23:44:51 UTC 2001 

At 12:58 AM +0200 8/16/01, Brad Knowles wrote:

>  	The thing I find so amusing is that Microsoft apparently blocks
>  TCP port 53 queries to at least some of their nameservers (if not all
>  of them).

	Interesting:

% dig @a.gtld-servers.net. microsoft.com. ns

; <<>> DiG 9.1.2 <<>> @a.gtld-servers.net. microsoft.com. ns
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48554
;; flags: qr rd; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 12

;; QUESTION SECTION:
;microsoft.com.                 IN      NS

;; ANSWER SECTION:
microsoft.com.          172800  IN      NS      DNS2.DC.MSFT.NET.
microsoft.com.          172800  IN      NS      DNS1.SJ.MSFT.NET.
microsoft.com.          172800  IN      NS      DNS2.SJ.MSFT.NET.
microsoft.com.          172800  IN      NS      DNS2.CP.MSFT.NET.
microsoft.com.          172800  IN      NS      DNS1.CP.MSFT.NET.
microsoft.com.          172800  IN      NS      DNS1.TK.MSFT.NET.
microsoft.com.          172800  IN      NS      DNS2.TK.MSFT.NET.
microsoft.com.          172800  IN      NS      DNS3.UK.MSFT.NET.
microsoft.com.          172800  IN      NS      DNS4.UK.MSFT.NET.
microsoft.com.          172800  IN      NS      DNS3.JP.MSFT.NET.
microsoft.com.          172800  IN      NS      DNS4.JP.MSFT.NET.
microsoft.com.          172800  IN      NS      DNS1.DC.MSFT.NET.

;; ADDITIONAL SECTION:
DNS2.DC.MSFT.NET.       172800  IN      A       207.68.128.152
DNS1.SJ.MSFT.NET.       172800  IN      A       207.46.97.11
DNS2.SJ.MSFT.NET.       172800  IN      A       207.46.97.12
DNS2.CP.MSFT.NET.       172800  IN      A       207.46.138.21
DNS1.CP.MSFT.NET.       172800  IN      A       207.46.138.20
DNS1.TK.MSFT.NET.       172800  IN      A       207.46.232.37
DNS2.TK.MSFT.NET.       172800  IN      A       207.46.232.38
DNS3.UK.MSFT.NET.       172800  IN      A       213.199.144.151
DNS4.UK.MSFT.NET.       172800  IN      A       213.199.144.152
DNS3.JP.MSFT.NET.       172800  IN      A       207.46.72.123
DNS4.JP.MSFT.NET.       172800  IN      A       207.46.72.124
DNS1.DC.MSFT.NET.       172800  IN      A       207.68.128.151

;; Query time: 8 msec
;; SERVER: 192.5.6.30#53(a.gtld-servers.net.)
;; WHEN: Wed Aug 15 19:30:23 2001
;; MSG SIZE  rcvd: 477

% nmap -sT -F -P0 DNS2.tk.msft.net.
The TCP connect scan took 469 seconds to scan 1062 ports.
Interesting ports on dns2.tk.msft.net (207.46.232.38):
(The 1055 ports scanned but not shown below are in state: closed)
Port       State       Service
53/tcp     open        domain
111/tcp    open        sunrpc
135/tcp    open        loc-srv
139/tcp    open        netbios-ssn
445/tcp    open        microsoft-ds
1025/tcp   open        listen
1031/tcp   open        iad2

Final times for host: srtt: 77582 rttvar: 393  to: 300000
Nmap run completed -- 1 IP address (1 host up) scanned in 470 seconds

% nmap -sT -F -P0 DNS1.tk.msft.net.
The TCP connect scan took 480 seconds to scan 1062 ports.
Interesting ports on dns1.tk.msft.net (207.46.232.37):
(The 1055 ports scanned but not shown below are in state: closed)
Port       State       Service
53/tcp     open        domain
111/tcp    open        sunrpc
135/tcp    open        loc-srv
139/tcp    open        netbios-ssn
445/tcp    open        microsoft-ds
1025/tcp   open        listen
1031/tcp   open        iad2

Final times for host: srtt: 77210 rttvar: 348  to: 300000
Nmap run completed -- 1 IP address (1 host up) scanned in 480 seconds


	Nevertheless, DNS queries using TCP never seem to go through to 
even these two machines.

	If these are machines running a MickeySoft OS, it seems to me 
that the fact they have ports 135 & 139 open means that they are ripe 
to be easily "0wn3d" by some NetBIOS-hacking "sKr1pt K1dd13".


	However, they appear to have "protected" themselves against Code 
Red (and Code Red II) on the other machines by denying all TCP 
traffic of any sort:

% nmap -sT -F -P0 DNS1.CP.MSFT.NET.
The TCP connect scan took 1311 seconds to scan 1062 ports.
All 1062 scanned ports on dns1.cp.msft.net (207.46.138.20) are: filtered
Final times for host: srtt: -1 rttvar: -1  to: 6000000
Nmap run completed -- 1 IP address (1 host up) scanned in 1311 seconds

% nmap -sT -F -P0 DNS2.CP.MSFT.NET.
The TCP connect scan took 1333 seconds to scan 1062 ports.
All 1062 scanned ports on dns2.cp.msft.net (207.46.138.21) are: filtered
Final times for host: srtt: -1 rttvar: -1  to: 6000000
Nmap run completed -- 1 IP address (1 host up) scanned in 1333 seconds

% nmap -sT -F -P0 DNS1.dc.msft.net.
The TCP connect scan took 1323 seconds to scan 1062 ports.
All 1062 scanned ports on dns1.dc.msft.net (207.68.128.151) are: filtered
Final times for host: srtt: -1 rttvar: -1  to: 6000000
Nmap run completed -- 1 IP address (1 host up) scanned in 1323 seconds

% nmap -sT -F -P0 DNS2.dc.msft.net.
The TCP connect scan took 1293 seconds to scan 1062 ports.
All 1062 scanned ports on dns2.dc.msft.net (207.68.128.152) are: filtered
Final times for host: srtt: -1 rttvar: -1  to: 6000000
Nmap run completed -- 1 IP address (1 host up) scanned in 1293 seconds

% nmap -sT -F -P0 DNS1.jp.msft.net.
The TCP connect scan took 1255 seconds to scan 1062 ports.
All 1062 scanned ports on dns1.jp.msft.net (207.46.72.121) are: filtered
Final times for host: srtt: -1 rttvar: -1  to: 6000000
Nmap run completed -- 1 IP address (1 host up) scanned in 1256 seconds

% nmap -sT -F -P0 DNS2.jp.msft.net.
The TCP connect scan took 1337 seconds to scan 1062 ports.
All 1062 scanned ports on dns2.jp.msft.net (207.46.72.122) are: filtered
Final times for host: srtt: -1 rttvar: -1  to: 6000000
Nmap run completed -- 1 IP address (1 host up) scanned in 1337 seconds

% nmap -sT -F -P0 DNS3.uk.msft.net.
The TCP connect scan took 1319 seconds to scan 1062 ports.
All 1062 scanned ports on dns3.uk.msft.net (213.199.144.151) are: filtered
Final times for host: srtt: -1 rttvar: -1  to: 6000000
Nmap run completed -- 1 IP address (1 host up) scanned in 1319 seconds

% nmap -sT -F -P0 DNS4.uk.msft.net.
The TCP connect scan took 1328 seconds to scan 1062 ports.
All 1062 scanned ports on dns4.uk.msft.net (213.199.144.152) are: filtered
Final times for host: srtt: -1 rttvar: -1  to: 6000000
Nmap run completed -- 1 IP address (1 host up) scanned in 1328 seconds


	But these two are kind of interesting:

% nmap -sT -F -P0 DNS1.sj.msft.net.
The TCP connect scan took 551 seconds to scan 1062 ports.
Interesting ports on dns1.sj.msft.net (207.46.97.11):
(The 1060 ports scanned but not shown below are in state: filtered)
Port       State       Service
80/tcp     closed      http
443/tcp    closed      https

Final times for host: srtt: 72507 rttvar: 54717  to: 300000
Nmap run completed -- 1 IP address (1 host up) scanned in 551 seconds

% nmap -sT -F -P0 DNS2.sj.msft.net.
The TCP connect scan took 573 seconds to scan 1062 ports.
Interesting ports on dns2.sj.msft.net (207.46.97.12):
(The 1060 ports scanned but not shown below are in state: filtered)
Port       State       Service
80/tcp     closed      http
443/tcp    closed      https

Final times for host: srtt: 71821 rttvar: 54066  to: 300000
Nmap run completed -- 1 IP address (1 host up) scanned in 573 seconds

-- 
Brad Knowles, <brad.knowles at skynet.be>

H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA

More information about the bind-users mailing list