Curious: is this a spoof attempt?
Kevin Darcy
kcd at daimlerchrysler.com
Wed May 1 21:22:40 UTC 2002
kriegstanz at yahoo.com wrote:
> Newish to BIND, and while browsing through a tcpdump on my
> newly-running name server, I keep running into the following entries.
> Repeatedly.
>
> xx.xx.200.2.3631 > xx.xx.103.106.domain: 24576 SOA?
> sex-related-site1.com. (37)
> xx.xx.200.2.3631 > xx.xx.103.124.domain: 24576 SOA?
> sex-related-site2.com. (39)
> xx.xx.200.2.3631 > xx.xx.103.112.domain: 24576 SOA?
> sex-related-site3.com. (33)
>
> xx.xx are actually identical, and it's always the same 3 domains.
> xx.xx are identical; I haven't gone to AIRN yet, but possibly this is
> on another machine hosted by the same provider.
>
> I'm very curious here; any suggestsions as to what might be going on?
> Some spoof attempt BIND 9.2 rejects categorically?
They probably mistyped xx.xx.203.yy as xx.xx.103.yy in their resolver
configuration, where "yy" equalling 106, 112 and 124, are nameservers
within their /22 block. If you want to play mind games with these guys,
you could set up nameservers on those addresses and redirect their web
access to something suitably inappropriate (like a site dedicated to
helping sex addicts overcome their addiction :-)
- Kevin
More information about the bind-users
mailing list