[outages] nytime.com dns borked

Kevin Day toasty at dragondata.com
Tue Aug 27 17:30:48 EDT 2013


On Aug 27, 2013, at 4:09 PM, Grant Ridder <shortdudey123 at gmail.com> wrote:

> I think someone hijacked NYTimes dns...
> 
> http://www.chicagotribune.com/business/technology/chi-new-york-times-website-20130827,0,3415996.story
> 
> 
> Non-authoritative answer:
> Name:    nytimes.com
> Address: 141.105.64.37
> 
> ~~~
> dig any nytimes.com
> 
> ; <<>> DiG 9.8.3-P1 <<>> any nytimes.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15335
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
> 
> ;; QUESTION SECTION:
> ;nytimes.com.            IN    ANY
> 
> ;; ANSWER SECTION:
> nytimes.com.        11560    IN    A    141.105.64.37
> nytimes.com.        5    IN    NS    ns1.syrianelectronicarmy.com.
> nytimes.com.        5    IN    NS    ns2.syrianelectronicarmy.com.


From OpenDNS I see:  (208.67.222.222)

;; ANSWER SECTION:
nytimes.com.		10699	IN	A	141.105.64.37
nytimes.com.		10699	IN	MX	0 nytimes.com.
nytimes.com.		82699	IN	NS	ns1.syrianelectronicarmy.com.
nytimes.com.		82699	IN	NS	ns2.syrianelectronicarmy.com.
nytimes.com.		86399	IN	SOA	ns5.boxsecured.com. ssuliman.hotmail.co.uk. 2013082703 86400 7200 3600000 86400


From Google DNS (8.8.8.8) I see:    note SOA is different:

;; ANSWER SECTION:
nytimes.com.		10897	IN	MX	0 nytimes.com.
nytimes.com.		18097	IN	SOA	ns1.syrianelectronicarmy.com. admin.sea.sy. 2013082701 86400 7200 3600000 86400
nytimes.com.		18097	IN	NS	ns2.syrianelectronicarmy.com.
nytimes.com.		18097	IN	NS	ns1.syrianelectronicarmy.com.
nytimes.com.		10897	IN	A	141.105.64.37


From our own resolver I see:

;; ANSWER SECTION:
nytimes.com.		154278	IN	NS	dns.sea1.nytimes.com.
nytimes.com.		154278	IN	NS	dns.ewr1.nytimes.com.



As for what nytimes.com is resolving to, from trying a few places I see:

141.105.64.37  - 141.105.64.0/21 AS49335  (NCONNECT), where Shorefront Media, Inc/Navitel Rusconnect is registered for 141.105.64.0/26
170.149.172.130 - 170.149.0.0/16  (New York Times)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages/attachments/20130827/34efb73c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4891 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/outages/attachments/20130827/34efb73c/attachment.p7s>


More information about the Outages mailing list