DNS is tainted

Torinthiel torinthiel at data.pl
Wed Jun 8 05:40:06 UTC 2011 

On 06/08/11 05:09, Jeff Peng wrote:
> Hello,
> 
>>From the dig info below:
> 
> C:\dig>dig +nocmd www.nsbeta.info +noall +answer @ns1.google.com
> www.nsbeta.info.        3497    IN      CNAME   nsbeta.info.
> nsbeta.info.            2434    IN      A       74.117.232.204
> 
> C:\dig>dig +nocmd www.nsbeta.info +noall +answer @ns1.google.com
> www.nsbeta.info.        3492    IN      CNAME   nsbeta.info.
> nsbeta.info.            2429    IN      A       74.117.232.204
> 
> C:\dig>dig +nocmd www.nsbeta.info +noall +answer @ns1.google.com
> www.nsbeta.info.        3486    IN      CNAME   nsbeta.info.
> nsbeta.info.            2423    IN      A       74.117.232.204
> 
> 
> I think my office network's DNS is tainted. because:

What do you mean by 'your office DNS' if you're not asking anything in
your office? It looks rather like either someone in your office or your
ISP is intercepting DNS traffic and answering questions directly.
Probably dig without server would result in answers fitting in same
decreasing TTL.
This is bad, but I don't think you can do much to avoid it, except
complaining or creating some VPN tunnel. It's not however too bad,
unless you're either using TSIG and have locally configured keys, or
trying to debug some specific DNS problem. Answers go out and are
returned, that's most of what's expected from DNS.
Torinthiel


> 
> 1) ns1.google.com is authoritative nameserver only, which shouldn't answer this query.
> 2) the TTL is decreased each time, if it's a real authority answer, the TTL should be all the same.
> 
> And this is the full output of dig:
> 
> C:\dig>dig  www.nsbeta.info  @ns1.google.com
> 
> ; <<>> DiG 9.3.2 <<>> www.nsbeta.info @ns1.google.com
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1183
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;www.nsbeta.info.               IN      A
> 
> ;; ANSWER SECTION:
> www.nsbeta.info.        3111    IN      CNAME   nsbeta.info.
> nsbeta.info.            2048    IN      A       74.117.232.204
> 
> ;; Query time: 15 msec
> ;; SERVER: 216.239.32.10#53(216.239.32.10)
> ;; WHEN: Wed Jun 08 11:09:09 2011
> ;; MSG SIZE  rcvd: 74
> 
> 
> How to deal with  this case? Thanks.
> 
> Regards.
> 
> ____________________________________________________________
> FREE 3D EARTH SCREENSAVER - Watch the Earth right on your desktop!
> Check it out at http://www.inbox.com/earth
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110608/1d4f6887/attachment.bin>

More information about the bind-users mailing list