DNS: anything goes?
Nonny Moose
nonny at invalid.addy
Mon May 29 05:17:43 UTC 2000
A particularly obnoxious spammer seems to be using, shall we say,
"eccentric" DNS records...
The domains in question are:
i5.to
legalforces.com
poplaunch.com
qwuest.net
angelfLre.com
Try for instance:
dig @nsx.ispfreedom.net i5.to axfr
and check the output (nsx.ispfreedom.net is the authoritative server for
i5.to). Is this kind of stuff really permitted?
In the same spirit, poplaunch.com and i5.to point to 127.0.0.1:
; <<>> DiG 8.2 <<>> poplaunch.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUERY SECTION:
;; poplaunch.com, type = A, class = IN
;; ANSWER SECTION:
poplaunch.com. 1M IN A 127.0.0.1
;; AUTHORITY SECTION:
poplaunch.com. 1M IN NS localhost.
;; ADDITIONAL SECTION:
localhost. 6d11h1m3s IN A 127.0.0.1
Digging at the authoritative server shows this:
; <<>> DiG 8.2 <<>> @nsx.ispfreedom.net poplaunch.com axfr
; (1 server found)
$ORIGIN poplaunch.com.
@ 1M IN SOA localhost. aisa.aisa.com. (
958283795 ; serial
3H ; refresh
1H ; retry
5D ; expiry
1M ) ; minimum
1M IN NS localhost.
1M IN A 127.0.0.1
www.et185.com.|qj4qf6IsjdGs1xXlIgfsk 1M IN CNAME angelfire.lycos.com.
block 1M IN A 209.235.102.9
www 1M IN A 127.0.0.1
@ 1M IN SOA localhost. aisa.aisa.com. (
958283795 ; serial
3H ; refresh
1H ; retry
5D ; expiry
1M ) ; minimum
aisa.com isn't AFAICT related to the spammer -- it's a site in Switzerland.
Interesting case of DNS abuse...
-N
More information about the bind-users
mailing list