odd behavior in bind-8.2.2_P3 (fwd) - "illegitimate COM server"

Ted_Rule at flextech.co.uk Ted_Rule at flextech.co.uk
Tue Sep 5 14:00:27 UTC 2000




Here's my best guess so far....

The host at myifriends does indeed seem to putting out invalid com records...
It appears to think it is authoritative for com itself. !!! Also for net. and
heaven knows
what else.

The AXFR listing also shows someone out there seems to be at least trying to
reduce com to a purely porn domain.

Presumably - somehow not sure how - the NS and SOA records from this server
for com "infected" your caching server when it asked for some other com domain
which somehow delegates down to this server.

Methinks someone needs to shut this rogue down - and soon else com may
effectively start to disappear.


Ted Rule,
Flextech Television.


$ dig @myifriendsns1.webpower.com com any

; <<>> DiG 8.2 <<>> @myifriendsns1.webpower.com com any -p
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;      com, type = ANY, class = IN

;; ANSWER SECTION:
com.                    1D IN A         204.180.135.105
com.                    1D IN NS        myifriendsns1.webpower.com.
com.                    1D IN SOA       webpower.com. postmaster.webpower.com. (
                                        175             ; serial
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum


;; AUTHORITY SECTION:
com.                    1D IN NS        myifriendsns1.webpower.com.

;; Total query time: 141 msec
;; FROM: intranot.flextech.co.uk to SERVER: myifriendsns1.webpower.com  204.180.
135.105
;; WHEN: Tue Sep  5 14:40:17 2000
;; MSG SIZE  sent: 21  rcvd: 135

$ dig @myifriendsns1.webpower.com net any

; <<>> DiG 8.2 <<>> @myifriendsns1.webpower.com net any -p
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;      net, type = ANY, class = IN

;; ANSWER SECTION:
net.                    1D IN A         204.180.135.105
net.                    1D IN NS        webpower.com.
net.                    1D IN SOA       webpower.com. postmaster.webpower.com. (
                                        59              ; serial
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum


;; AUTHORITY SECTION:
net.                    1D IN NS        webpower.com.

;; Total query time: 141 msec
;; FROM: intranot.flextech.co.uk to SERVER: myifriendsns1.webpower.com  204.180.
135.105
;; WHEN: Tue Sep  5 14:42:37 2000
;; MSG SIZE  sent: 21  rcvd: 124


$ dig @myifriendsns1.webpower.com com axfr

; <<>> DiG 8.2 <<>> @myifriendsns1.webpower.com com axfr -p
; (1 server found)
$ORIGIN com.
@                       1D IN SOA       webpower postmaster.webpower (
                                        175             ; serial
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                        1D IN NS        myifriendsns1.webpower
                        1D IN A         204.180.135.105
www.britneyshores       10S IN A        204.180.135.105
www.mysweetkelly        10S IN A        204.180.135.105
www.sweets36dd          10S IN A        204.180.135.105
mysite.sweets36dd       10S IN A        204.180.135.105
www.sisseys-sex-fetish  10S IN A        204.180.135.105
www.myluckylove         10S IN A        204.180.135.105
www.missangel           10S IN A        204.180.135.105
www.reyanasrealm        10S IN A        204.180.135.105
www.2lilnymphs          10S IN A        204.180.135.105
www.barbiwet            10S IN A        204.180.135.105
www.brettnichols        10S IN A        204.180.135.105
www.mzmahogany          10S IN A        204.180.135.105
sexylynn                10S IN A        204.180.135.105
www.ahotcoed21          10S IN A        204.180.135.105
www.hugetoyz            10S IN A        204.180.135.105
http://www.camatuers    10S IN A        204.180.135.105
www.girlyluv            10S IN A        204.180.135.105
www.sissey-sex-fetish   10S IN A        204.180.135.105
www.pleasure-units      10S IN A        204.180.135.105
www.hotcanadian         10S IN A        204.180.135.105
www.sweet4usxy          10S IN A        204.180.135.105
www.hottbabe            10S IN A        204.180.135.105
www.dinkydoggy          10S IN A        204.180.135.105
http://www.lauramarie   10S IN A        204.180.135.105
www.sinfuldesire        10S IN A        204.180.135.105
www.lisashothomepage    10S IN A        204.180.135.105
www.peytonzplace        10S IN A        204.180.135.105
www.teasercam           10S IN A        204.180.135.105
www.girlnextdoornude    10S IN A        204.180.135.105
www.torilive4uteasercam  10S IN A  204.180.135.105
www.mistressofthenight  10S IN A        204.180.135.105
www.fredy               10S IN A        204.180.135.105
ahotchicks-hardcore-sex  10S IN A  204.180.135.105
www.alilgal             10S IN A        204.180.135.105
www.livelyluci          10S IN A        204.180.135.105
www.kalliex             10S IN A        204.180.135.105
www.debsdesires         10S IN A        204.180.135.105
www.iseekamateurs       10S IN A        204.180.135.105
www.tiffanyraw2000      10S IN A        204.180.135.105
www.buffnet             10S IN A        204.180.135.105
www.eva-live            10S IN A        204.180.135.105
www.natural38dds        10S IN A        204.180.135.105
www.sassyone            10S IN A        204.180.135.105
www.niseyxxx            10S IN A        204.180.135.105
candy36ddd              10S IN A        204.180.135.105
www.candy36ddd          10S IN A        204.180.135.105
ohsofine                10S IN A        204.180.135.105
www.ohsofine            10S IN A        204.180.135.105
misxydouno              10S IN A        204.180.135.105
www.misxydouno          10S IN A        204.180.135.105
tranzgirl               10S IN A        204.180.135.105
www.xxxtremefetish      10S IN A        204.180.135.105
www.alyxinwonderland    10S IN A        204.180.135.105
www.creole69            10S IN A        204.180.135.105
prodical.myfriends1.webpower  10S IN A  204.180.135.105
myifriendsdsns/.webpower  10S IN A  204.180.135.105
www.majorpornsites      10S IN A        204.180.135.105
www.latinass69          10S IN A        204.180.135.105
www.hothornyhousewife   10S IN A        204.180.135.105
www.erosrouge           10S IN A        204.180.135.105
www.naughtykasha        10S IN A        204.180.135.105
yumyum34d               10S IN A        204.180.135.105
hypnofiles              10S IN A        204.180.135.105
http://sisseys-sex-fetish  10S IN A  204.180.135.105
www.maliahart           10S IN A        204.180.135.105
www.camholio            10S IN A        204.180.135.105
www.georgiachicks       10S IN A        204.180.135.105
www.foxymelody          10S IN A        204.180.135.105
www.hottiebody          10S IN A        204.180.135.105
www.neatspot            10S IN A        204.180.135.105
www.xxxjade79           10S IN A        204.180.135.105
www.hottani             10S IN A        204.180.135.105
www.jensex              10S IN A        204.180.135.105
studiocaliente          10S IN A        204.180.135.105
www.studiocaliente      10S IN A        204.180.135.105
www.sinloverxxx         10S IN A        204.180.135.105
www.ladybunny           10S IN A        204.180.135.105
www.freeballoonpix      10S IN A        204.180.135.105
www.sex24hrsaday        10S IN A        204.180.135.105
www.aussiereeta         10S IN A        204.180.135.105
www.gingerlixxx         10S IN A        204.180.135.105
www.cashmirliv          10S IN A        204.180.135.105
www.peytons-place       10S IN A        204.180.135.105
www.electricvelvet      10S IN A        204.180.135.105
@                       1D IN SOA       webpower postmaster.webpower (
                                        175             ; serial
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

;; Received 88 answers (88 records).
;; FROM: intranot.flextech.co.uk to SERVER: 204.180.135.105
;; WHEN: Tue Sep  5 14:43:37 2000






jlewis at lewis.org on 05/09/2000 13:58:19

To:   bind-workers at isc.org
cc:    (bcc: Ted Rule/160GPS/Flextech/UK)

Subject:  odd behavior in bind-8.2.2_P3 (fwd)




Can anyone suggest what may have lead to one of my caching DNS servers to
do the following:

# dig @localhost www.webmastermatrix.com.

; <<>> DiG 8.2 <<>> @localhost www.webmastermatrix.com.
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;      www.webmastermatrix.com, type = A, class = IN

;; AUTHORITY SECTION:
com.                    2h12m2s IN SOA  webpower.com.
postmaster.webpower.com. (
                                        175             ; serial
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

It was spitting out similar cached NXDOMAIN results for a number of other
hosts in other .com domains, but with this same bogus SOA record.  I did a
dumpdb (still have it) and if I'm reading it right, the server really
thought this was the SOA for com.

com     81138   IN      NS      myifriendsns1.webpower.com.     ;Cr=auth
        86312   IN      SOA     webpower.com. postmaster.webpower.com. (
                175 10800 900 604800 86400 )    ;Cr=auth

The only $ORIGIN above this is '$ORIGIN .'.

This is from bind-8.2.2_P3-0.5.2 on a Red Hat 5.2 system with a very
simple caching only setup.

----------------------------------------------------------------------
 Jon Lewis *jlewis at lewis.org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________











More information about the bind-workers mailing list