[outages] AT&T DNS problems?

David Conrad drc at virtualized.org
Fri Oct 26 22:53:02 EDT 2012 

Hi,

So I tried in 3 different places:

Comcast residential service near San Jose, CA: 38.100.120.100
Multi-homed colo facility near Dallas, TX: 38.100.120.100
Multi-homed colo facility near London, UK: 208.91.197.32

Doing a bit of digging on the latter:

% dig +short @12.127.17.83 www.ben.edu ns
ns1432.ztomy.com.
ns2432.ztomy.com.

% whois -h whois.crsnic.net ztomy.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: ZTOMY.COM
   Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
   Whois Server: whois.PublicDomainRegistry.com
   Referral URL: http://www.PublicDomainRegistry.com
   Name Server: USC4.AKAM.NET
   Name Server: USC5.AKAM.NET
   Status: ok
   Updated Date: 23-apr-2012
   Creation Date: 22-nov-2007
   Expiration Date: 22-nov-2014
[...]

% whois -h whois.publicdomainregistry.com ztomy.com
Domain Name: ZTOMY.COM      
                                   
 Registrant:                       
     PrivacyProtect.org
    Domain Admin        (contact at privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676     
                                   
 Creation Date: 22-Nov-2007  
 Expiration Date: 22-Nov-2014  
[...]

Doing a google search on ztomy.com suggests that they provide malware/spyware/etc.

Looking at the address being returned (208.91.197.132):

% whois -h whois.arin.net 208.91.197.132
[...]
NetRange:       208.91.196.0 - 208.91.199.255
CIDR:           208.91.196.0/22
OriginAS:       AS40034
NetName:        CONFLUENCE-NETWORK-INC
NetHandle:      NET-208-91-196-0-1
Parent:         NET-208-0-0-0-0
NetType:        Direct Allocation
RegDate:        2011-04-15
Updated:        2012-03-02
Ref:            http://whois.arin.net/rest/net/NET-208-91-196-0-1

OrgName:        Confluence Networks Inc
OrgId:          CN
Address:        3rd Floor, Omar Hodge Building, Wickhams
Address:        Cay I, P.O. Box 362
City:           Road Town
StateProv:      Tortola
PostalCode:     VG1110
Country:        VG
RegDate:        2011-04-07
Updated:        2011-07-05
Ref:            http://whois.arin.net/rest/org/CN
[...]

Doing a google search on confluence networks suggests that they host a lot of bad stuff (e.g., 'high yield investment programs' which appear to be yet another form of Ponzi scheme).  I did see some suggestions of ztomy.com engaging in DNS cache poisoning, but no proof.

Given the inconsistent answers from the AT&T name server, one possibility is that AT&T's resolvers are under a Kaminsky-style DNS cache poisoning attack.  You might want to drop a note to the DNS-OARC (https://www.dns-oarc.net) dns-operations list -- I think there are probably some folks there from AT&T.

Regards,
-drc


On Oct 26, 2012, at 6:26 PM, Tim Huffman <tim at bobbroadband.com> wrote:

> Yeah, it appears to be some kind of placeholder site, like what Network Solutions uses.
>  
> What’s strange is that the AT&T server appears to be handing out alternating responses:
>  
> # dig @12.127.17.83 www.ben.edu
>  
> ; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35102
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>  
> ;; QUESTION SECTION:
> ;www.ben.edu.                   IN      A
>  
> ;; ANSWER SECTION:
> www.ben.edu.            148     IN      A       208.91.197.132
>  
> ;; Query time: 2 msec
> ;; SERVER: 12.127.17.83#53(12.127.17.83)
> ;; WHEN: Fri Oct 26 20:22:18 2012
> ;; MSG SIZE  rcvd: 45
>  
> [root at venus ~]# dig @12.127.17.83 www.ben.edu
>  
> ; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38198
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>  
> ;; QUESTION SECTION:
> ;www.ben.edu.                   IN      A
>  
> ;; ANSWER SECTION:
> www.ben.edu.            3427    IN      CNAME   ben.edu.
> ben.edu.                3427    IN      A       38.100.120.100
>  
> ;; Query time: 2 msec
> ;; SERVER: 12.127.17.83#53(12.127.17.83)
> ;; WHEN: Fri Oct 26 20:22:23 2012
> ;; MSG SIZE  rcvd: 59
>  
> [root at venus ~]# dig @12.127.17.83 www.ben.edu
>  
> ; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21252
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>  
> ;; QUESTION SECTION:
> ;www.ben.edu.                   IN      A
>  
> ;; ANSWER SECTION:
> www.ben.edu.            142     IN      A       208.91.197.132
>  
> ;; Query time: 1 msec
> ;; SERVER: 12.127.17.83#53(12.127.17.83)
> ;; WHEN: Fri Oct 26 20:22:24 2012
> ;; MSG SIZE  rcvd: 45
>  
> [root at venus ~]# dig @12.127.17.83 www.ben.edu
>  
> ; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59907
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>  
> ;; QUESTION SECTION:
> ;www.ben.edu.                   IN      A
>  
> ;; ANSWER SECTION:
> www.ben.edu.            3425    IN      CNAME   ben.edu.
> ben.edu.                3425    IN      A       38.100.120.100
>  
> ;; Query time: 2 msec
> ;; SERVER: 12.127.17.83#53(12.127.17.83)
> ;; WHEN: Fri Oct 26 20:22:25 2012
> ;; MSG SIZE  rcvd: 59
>  
> Tim Huffman
> Director of Engineering
> Business Only Broadband
> 777 Oakmont Lane, Suite 2000, Westmont, IL 60559
> Direct: 630.590.6012 | Main: 630.590.6000 | Fax: 630.986.2496 
> thuffman at bobbroadband.com  |  http://www.bobbroadband.com/
> Cell:  630.340.1925 | Toll-Free Customer Support:  877.262.4553
> <image001.png>  Follow Us on LinkedIn  |  <image002.gif>  Follow Us on Twitter
> P please consider the environment prior to printing
>  
> From: outages-bounces at outages.org [mailto:outages-bounces at outages.org] On Behalf Of Mike Phipps
> Sent: Friday, October 26, 2012 8:17 PM
> To: outages at outages.org
> Subject: Re: [outages] AT&T DNS problems?
>  
> 208.91.197.132 doesn’t have a PTR record associated with it, but a Whois query shows that it’s owned by Confluence Networks. However, check out what happens when you go to that IP address:
>  
> $ nc -v 208.91.197.132 80
> Connection to 208.91.197.132 80 port [tcp/http] succeeded!
> GET / HTTP/1.1
> Host: ben.edu
>  
> HTTP/1.1 200 OK
> Date: Sat, 27 Oct 2012 01:14:43 GMT
> Server: Apache/2.2.3 (Red Hat)
> X-Powered-By: PHP/5.3.16
> Vary: Accept-Encoding,User-Agent
> Content-Length: 712
> Content-Type: text/html; charset=UTF-8
>  
> <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
>         <frame src="http://ben.edu/?fp=Jg2bOCRGpmyIHeO3rTIpYJil8%2FmPB1JibWwClQntyhm4NkwKKuCk1tgtON7LOnmXFywl8MRjELrKlXFXgOfhOw%3D%3D&prvtof=lJY3O5r6C%2F4Iypq21CJp7a1LuqqIdOWvKdwx5Xsl1x8%3D&poru=S87wfqjj4W%2B%2Fm8dSEqpuWZr20KvK367%2BCoGC%2FHW2e9kL6N%2Fl3h3wnDx5AfKbrhlZ&">
> </frameset>
> <noframes>
>         <body bgcolor="#ffffff" text="#000000">
>         <a href="http://ben.edu/?fp=Jg2bOCRGpmyIHeO3rTIpYJil8%2FmPB1JibWwClQntyhm4NkwKKuCk1tgtON7LOnmXFywl8MRjELrKlXFXgOfhOw%3D%3D&prvtof=HFakvtiyy0kNqKrmL%2FCjJLePEMwdGWTZLZa5%2BZpNnP4%3D&poru=9vrhUGVKGCquHB6uFFMUXFNxz1c%2FgIaDOeCSvkLz5HCrH2FI%2Fixpxvr8LwjYT7uO&">Click here to proceed</a>.
>         </body>
> </noframes>
>  
> I didn’t look beyond that, but it already looks fishy. Note that I used ben.edu in the hostname on that manual GET request. When I tried it with just the IP address, it said to go to searchremagnified.com.
>  
>  
> Mike Phipps
> Media Genesis, Inc.
>  
> From: outages-bounces at outages.org [mailto:outages-bounces at outages.org] On Behalf Of Tim Huffman
> Sent: Friday, October 26, 2012 9:04 PM
> To: outages at outages.org
> Subject: [outages] AT&T DNS problems?
>  
> We are the primary DNS servers for the ben.edu domain. We seem to be having an issue with an AT&T server that is responding  with incorrect A records for www.ben.eduand ben.edu.
>  
> What it SHOULD be the response:
> nslookup www.ben.edu
> Server:         63.250.224.66
> Address:        63.250.224.66#53
>  
> www.ben.edu     canonical name = ben.edu.
> Name:   ben.edu
> Address: 38.100.120.100
>  
> What 12.127.17.83 is responding with:
> > www.ben.edu
> Server:  tbru.br.rs.els-gms.att.net
> Address:  12.127.17.83
>  
> Non-authoritative answer:
> Name:    www.ben.edu
> Address:  208.91.197.132
>  
> This appears to be affecting only iPhones and iPads on the AT&T network. Is anybody else having problems with this? Are there any AT&T people on this list that can help?
>  
>  
> Tim Huffman
> Business Only Broadband
> 777 Oakmont Lane, Suite 2000, Westmont, IL 60559
> Direct: 630.590.6012 | Main: 630.590.6000 | Fax: 630.986.2496 
> thuffman at bobbroadband.com  |  http://www.bobbroadband.com/
> Cell:  630.340.1925 | Toll-Free Customer Support:  877.262.4553
> <image001.png>  Follow Us on LinkedIn  |  <image002.gif>  Follow Us on Twitter
> P please consider the environment prior to printing
>  
> _______________________________________________
> Outages mailing list
> Outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages/attachments/20121026/ca311348/attachment.htm>

More information about the Outages mailing list