[outages] AT&T DNS problems?

Tim Huffman tim at bobbroadband.com
Fri Oct 26 21:26:05 EDT 2012 

Yeah, it appears to be some kind of placeholder site, like what Network Solutions uses.

What's strange is that the AT&T server appears to be handing out alternating responses:

# dig @12.127.17.83 www.ben.edu

; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35102
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ben.edu.                   IN      A

;; ANSWER SECTION:
www.ben.edu.            148     IN      A       208.91.197.132

;; Query time: 2 msec
;; SERVER: 12.127.17.83#53(12.127.17.83)
;; WHEN: Fri Oct 26 20:22:18 2012
;; MSG SIZE  rcvd: 45

[root at venus ~]# dig @12.127.17.83 www.ben.edu

; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38198
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ben.edu.                   IN      A

;; ANSWER SECTION:
www.ben.edu.            3427    IN      CNAME   ben.edu.
ben.edu.                3427    IN      A       38.100.120.100

;; Query time: 2 msec
;; SERVER: 12.127.17.83#53(12.127.17.83)
;; WHEN: Fri Oct 26 20:22:23 2012
;; MSG SIZE  rcvd: 59

[root at venus ~]# dig @12.127.17.83 www.ben.edu

; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21252
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ben.edu.                   IN      A

;; ANSWER SECTION:
www.ben.edu.            142     IN      A       208.91.197.132

;; Query time: 1 msec
;; SERVER: 12.127.17.83#53(12.127.17.83)
;; WHEN: Fri Oct 26 20:22:24 2012
;; MSG SIZE  rcvd: 45

[root at venus ~]# dig @12.127.17.83 www.ben.edu

; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59907
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ben.edu.                   IN      A

;; ANSWER SECTION:
www.ben.edu.            3425    IN      CNAME   ben.edu.
ben.edu.                3425    IN      A       38.100.120.100

;; Query time: 2 msec
;; SERVER: 12.127.17.83#53(12.127.17.83)
;; WHEN: Fri Oct 26 20:22:25 2012
;; MSG SIZE  rcvd: 59

Tim Huffman
Director of Engineering
Business Only Broadband
777 Oakmont Lane, Suite 2000, Westmont, IL 60559
Direct: 630.590.6012 | Main: 630.590.6000 | Fax: 630.986.2496
thuffman at bobbroadband.com<mailto:thuffman at bobbroadband.com>  |  http://www.bobbroadband.com/
Cell:  630.340.1925 | Toll-Free Customer Support:  877.262.4553
[https://staticapp.icpsc.com/icp/loadimage.php/mogile/933825/747f0f3e66a4e0ce7633ff898bfc5121/image/png]  Follow Us on LinkedIn<http://www.linkedin.com/company/business-only-broadband>  |  [https://files.icontact.com/templates/v2/CleanAndSimple/images/twitter.gif]   Follow Us on Twitter<https://twitter.com/#%21/BOBbroadband>
P please consider the environment prior to printing

From: outages-bounces at outages.org [mailto:outages-bounces at outages.org] On Behalf Of Mike Phipps
Sent: Friday, October 26, 2012 8:17 PM
To: outages at outages.org
Subject: Re: [outages] AT&T DNS problems?

208.91.197.132 doesn't have a PTR record associated with it, but a Whois query shows that it's owned by Confluence Networks. However, check out what happens when you go to that IP address:

$ nc -v 208.91.197.132 80
Connection to 208.91.197.132 80 port [tcp/http] succeeded!
GET / HTTP/1.1
Host: ben.edu

HTTP/1.1 200 OK
Date: Sat, 27 Oct 2012 01:14:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.16
Vary: Accept-Encoding,User-Agent
Content-Length: 712
Content-Type: text/html; charset=UTF-8

<frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
        <frame src="http://ben.edu/?fp=Jg2bOCRGpmyIHeO3rTIpYJil8%2FmPB1JibWwClQntyhm4NkwKKuCk1tgtON7LOnmXFywl8MRjELrKlXFXgOfhOw%3D%3D&prvtof=lJY3O5r6C%2F4Iypq21CJp7a1LuqqIdOWvKdwx5Xsl1x8%3D&poru=S87wfqjj4W%2B%2Fm8dSEqpuWZr20KvK367%2BCoGC%2FHW2e9kL6N%2Fl3h3wnDx5AfKbrhlZ&">
</frameset>
<noframes>
        <body bgcolor="#ffffff" text="#000000">
        <a href="http://ben.edu/?fp=Jg2bOCRGpmyIHeO3rTIpYJil8%2FmPB1JibWwClQntyhm4NkwKKuCk1tgtON7LOnmXFywl8MRjELrKlXFXgOfhOw%3D%3D&prvtof=HFakvtiyy0kNqKrmL%2FCjJLePEMwdGWTZLZa5%2BZpNnP4%3D&poru=9vrhUGVKGCquHB6uFFMUXFNxz1c%2FgIaDOeCSvkLz5HCrH2FI%2Fixpxvr8LwjYT7uO&">Click here to proceed</a>.
        </body>
</noframes>

I didn't look beyond that, but it already looks fishy. Note that I used ben.edu in the hostname on that manual GET request. When I tried it with just the IP address, it said to go to searchremagnified.com.


Mike Phipps
Media Genesis, Inc.

From: outages-bounces at outages.org<mailto:outages-bounces at outages.org> [mailto:outages-bounces at outages.org] On Behalf Of Tim Huffman
Sent: Friday, October 26, 2012 9:04 PM
To: outages at outages.org<mailto:outages at outages.org>
Subject: [outages] AT&T DNS problems?

We are the primary DNS servers for the ben.edu domain. We seem to be having an issue with an AT&T server that is responding  with incorrect A records for www.ben.edu<http://www.ben.edu> and ben.edu.

What it SHOULD be the response:
nslookup www.ben.edu<http://www.ben.edu>
Server:         63.250.224.66
Address:        63.250.224.66#53

www.ben.edu<http://www.ben.edu>     canonical name = ben.edu.
Name:   ben.edu
Address: 38.100.120.100

What 12.127.17.83 is responding with:
> www.ben.edu<http://www.ben.edu>
Server:  tbru.br.rs.els-gms.att.net
Address:  12.127.17.83

Non-authoritative answer:
Name:    www.ben.edu<http://www.ben.edu>
Address:  208.91.197.132

This appears to be affecting only iPhones and iPads on the AT&T network. Is anybody else having problems with this? Are there any AT&T people on this list that can help?


Tim Huffman
Business Only Broadband
777 Oakmont Lane, Suite 2000, Westmont, IL 60559
Direct: 630.590.6012 | Main: 630.590.6000 | Fax: 630.986.2496
thuffman at bobbroadband.com<mailto:thuffman at bobbroadband.com>  |  http://www.bobbroadband.com/
Cell:  630.340.1925 | Toll-Free Customer Support:  877.262.4553
[https://staticapp.icpsc.com/icp/loadimage.php/mogile/933825/747f0f3e66a4e0ce7633ff898bfc5121/image/png]  Follow Us on LinkedIn<http://www.linkedin.com/company/business-only-broadband>  |  [https://files.icontact.com/templates/v2/CleanAndSimple/images/twitter.gif]   Follow Us on Twitter<https://twitter.com/#%21/BOBbroadband>
P please consider the environment prior to printing

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages/attachments/20121027/db15671b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2480 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/outages/attachments/20121027/db15671b/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 1287 bytes
Desc: image002.gif
URL: <https://puck.nether.net/pipermail/outages/attachments/20121027/db15671b/attachment.gif>

More information about the Outages mailing list