[Dshield] Odd DNS name, slightly OT

Coxe, John B. JOHN.B.COXE at saic.com
Fri Oct 26 21:59:14 GMT 2001

Here is the zone xfer I got for them.  It is just a poorly configured DNS.
A lot of domains use a single zone file for hosts inside and outside their
firewall.  I see and here.  It is likely is
just the internal interface of their ftp/http/... server.

I hate seeing this sloppy crap.  But they are just revealing more of their
internal network structure than they should when they do this.  (This case
is minor.  Some domains have an enormous amount of detail to be gleaned from
their public DNS.)

> server
Default Server:  dns1.registeredsite.com

> ls -d registeredsite.com
$ORIGIN registeredsite.com.
@                       15M IN SOA      dns1 root.dns1 (
                                        97              ; serial
                                        1H              ; refresh
                                        5M              ; retry
                                        1W              ; expiry
                                        15M )           ; minimum

                        15M IN NS       dns1
                        15M IN NS       dns2
                        15M IN NS       dns3
                        15M IN MX       5 mail
                        15M IN A
smtp                    15M IN A
simap                   15M IN A
imta03a2-prod           15M IN A
mail                    15M IN CNAME    mailhub
boca-proxy              15M IN A
pop                     15M IN A
mail-proxy              15M IN A
intermail               15M IN MX       10 inbound
spop                    15M IN A
imap                    15M IN A
report                  15M IN A
webmail                 15M IN A
exchangemail            15M IN A
stats                   15M IN A
mailreports             15M IN A
fep01                   15M IN A
fep02                   15M IN A
dns1                    15M IN A
prov-proxy              15M IN A
dns2                    15M IN A
dns3                    15M IN A
dns4                    15M IN A
exchangeadmin           15M IN A
dnsreports              15M IN CNAME    mailreports
ttrc-proxy              15M IN A
mailhub                 15M IN A
fallback-mx1            15M IN A
swebmail                15M IN A
mail1                   15M IN A
inbound                 15M IN A
www                     15M IN A
mail2                   15M IN A
mail3                   15M IN A
mail4                   15M IN A
mail5                   15M IN A
deadmail                15M IN A
netcommerce             15M IN A
imta04a2-prod           15M IN A
ftp                     15M IN A
@                       15M IN SOA      dns1 root.dns1 (
                                        97              ; serial
                                        1H              ; refresh
                                        5M              ; retry
                                        1W              ; expiry
                                        15M )           ; minimum

-----Original Message-----
From: David Sentelle [mailto:David.Sentelle at cnbcbank.com]
Sent: Friday, October 26, 2001 1:11 PM
To: dshield at dshield.org
Subject: [Dshield] Odd DNS name, slightly OT

I was browsing the web pages users on our network had requested, and saw a
website called inbound.registeredsite.com.  This address resolves to, which is to my knowledge a valid IP address.  

However, when I see URLs that don't answer web requests, I usually chop off
the third level part of the DNS name and replace it with 'WWW', which left
me browsing to www.registeredsite.com.  Oddly enough, this resolves to which I am sure is a private IP.  I didn't even know that DNS
servers would resolve DNS names to private IPs.  

Registeredsite.com is owned by Network Solutions.  How would they benefit
from pointing people to a private IP address?  Does it conform to the DNS
RFCs to associate a private IP to a public DNS server?


David Sentelle
Network Operations Specialist
Commerce National Bank
614.334.6282 Voice    614.848.8830 Fax

This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to which they are addressed.
If you have received this e-mail in error, please notify admin at cnbcbank.com
and delete it from your system.

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list