Home page logo
/

nanog logo nanog mailing list archives

dnsauth3.sys.gtei.net DNS record is poisoned???
From: Joe Shen <joe_hznm () yahoo com sg>
Date: Thu, 16 Feb 2006 00:06:54 +0800 (CST)


Hi,

Today, some of our customers could not resolve
state.gov by our cache server. 

I found state.gov is served by dnsauth1.sys.gtei.net,
dnsauth2.sys.gtei.net, dnsauth3.sys.gtei.net. Using
some others' DNS servers I found their IP addresses
should be 4.2.49.2, 4.2.49.3, 4.2.49.4. But, our cache
server(BIND9.3.1) got some othere IPs( I've tried
restart bind9.3.1). So, it always failed to resolve
state.gov. After restarting BIND9.3.1 again, I did
"rndc flush" for several times, then it comes back. 

Why? is there something poisoned ?

Joe



=========== BIND9 got wrong server IP ====

set debug
dnsauth1.sys.gtei.net
Server:  dnsv2.zjhzptt.net.cn
Address:  202.101.172.133

;; res_nmkquery(QUERY, dnsauth1.sys.gtei.net, IN, A)
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 58203, rcode = NOERROR
        header flags:  response, want recursion,
recursion avail.
        questions = 1,  answers = 1,  authority
records = 3,  additional = 2

    QUESTIONS:
        dnsauth1.sys.gtei.net, type = A, class = IN
    ANSWERS:
    ->  dnsauth1.sys.gtei.net
        internet address = 128.121.126.139
        ttl = 86084 (86084)
    AUTHORITY RECORDS:
    ->  gtei.net
        nameserver = dnsauth2.sys.gtei.net
        ttl = 172565 (172565)
    ->  gtei.net
        nameserver = dnsauth3.sys.gtei.net
        ttl = 172565 (172565)
    ->  gtei.net
        nameserver = dnsauth1.sys.gtei.net
        ttl = 172565 (172565)
    ADDITIONAL RECORDS:
    ->  dnsauth2.sys.gtei.net
        internet address = 169.132.13.103
        ttl = 86084 (86084)
    ->  dnsauth3.sys.gtei.net
        internet address = 192.67.198.6
        ttl = 86084 (86084)

------------
Non-authoritative answer:
Name:    dnsauth1.sys.gtei.net
Address:  128.121.126.139



==============================

Restart bind and do "rndc flush" 6 times, I got:

======================

set debug
state.gov
Server:  hzdnsv2.zjhzptt.net.cn
Address:  202.101.172.133

;; res_nmkquery(QUERY, state.gov, IN, A)
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 20953, rcode = NOERROR
        header flags:  response, want recursion,
recursion avail.
        questions = 1,  answers = 1,  authority
records = 3,  additional = 3

    QUESTIONS:
        state.gov, type = A, class = IN
    ANSWERS:
    ->  state.gov
        internet address = 164.109.48.80
        ttl = 1778 (1778)
    AUTHORITY RECORDS:
    ->  state.gov
        nameserver = dnsauth3.sys.gtei.net
        ttl = 1778 (1778)
    ->  state.gov
        nameserver = dnsauth1.sys.gtei.net
        ttl = 1778 (1778)
    ->  state.gov
        nameserver = dnsauth2.sys.gtei.net
        ttl = 1778 (1778)
    ADDITIONAL RECORDS:
    ->  dnsauth1.sys.gtei.net
        internet address = 4.2.49.2
        ttl = 172767 (172767)
    ->  dnsauth2.sys.gtei.net
        internet address = 4.2.49.3
        ttl = 172767 (172767)
    ->  dnsauth3.sys.gtei.net
        internet address = 4.2.49.4
        ttl = 172767 (172767)

------------
Non-authoritative answer:
Name:    state.gov
Address:  164.109.48.80



==================================






                
__________________________________ 
Meet your soulmate!
Yahoo! Asia presents Meetic - where millions of singles gather
http://asia.yahoo.com/meetic


  By Date           By Thread  

Current thread:
  • dnsauth3.sys.gtei.net DNS record is poisoned??? Joe Shen (Feb 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]