[Dshield] Odd DNS name, slightly OT

Coxe, John B. JOHN.B.COXE at saic.com
Fri Oct 26 21:59:14 GMT 2001


Here is the zone xfer I got for them.  It is just a poorly configured DNS.
A lot of domains use a single zone file for hosts inside and outside their
firewall.  I see 10.0.0.1 and 10.0.31.16 here.  It is likely 10.0.0.1 is
just the internal interface of their ftp/http/... server.

I hate seeing this sloppy crap.  But they are just revealing more of their
internal network structure than they should when they do this.  (This case
is minor.  Some domains have an enormous amount of detail to be gleaned from
their public DNS.)

> server 64.224.20.136
Default Server:  dns1.registeredsite.com
Address:  64.224.20.136

> ls -d registeredsite.com
[dns1.registeredsite.com]
$ORIGIN registeredsite.com.
@                       15M IN SOA      dns1 root.dns1 (
                                        97              ; serial
                                        1H              ; refresh
                                        5M              ; retry
                                        1W              ; expiry
                                        15M )           ; minimum

                        15M IN NS       dns1
                        15M IN NS       dns2
                        15M IN NS       dns3
                        15M IN MX       5 mail
                        15M IN A        10.0.0.1
smtp                    15M IN A        64.225.255.129
simap                   15M IN A        64.225.255.140
imta03a2-prod           15M IN A        64.225.255.12
mail                    15M IN CNAME    mailhub
boca-proxy              15M IN A        208.222.107.70
pop                     15M IN A        64.225.255.137
mail-proxy              15M IN A        64.224.20.202
intermail               15M IN MX       10 inbound
spop                    15M IN A        64.225.255.138
imap                    15M IN A        64.225.255.139
report                  15M IN A        64.224.20.209
webmail                 15M IN A        64.225.255.141
exchangemail            15M IN A        64.224.109.10
stats                   15M IN A        64.225.154.112
mailreports             15M IN A        10.0.31.16
fep01                   15M IN A        64.225.255.20
fep02                   15M IN A        64.225.255.21
dns1                    15M IN A        64.224.20.136
prov-proxy              15M IN A        64.224.9.17
dns2                    15M IN A        64.224.20.137
dns3                    15M IN A        64.224.20.138
dns4                    15M IN A        66.111.73.74
exchangeadmin           15M IN A        64.224.109.10
dnsreports              15M IN CNAME    mailreports
ttrc-proxy              15M IN A        64.224.9.16
mailhub                 15M IN A        64.224.9.20
fallback-mx1            15M IN A        64.224.9.15
swebmail                15M IN A        64.225.255.142
mail1                   15M IN A        64.224.9.10
inbound                 15M IN A        64.225.255.131
www                     15M IN A        10.0.0.1
mail2                   15M IN A        64.224.9.11
mail3                   15M IN A        64.224.9.12
mail4                   15M IN A        64.224.9.13
mail5                   15M IN A        64.224.9.14
deadmail                15M IN A        64.224.9.19
netcommerce             15M IN A        216.247.39.254
imta04a2-prod           15M IN A        64.225.255.13
ftp                     15M IN A        10.0.0.1
@                       15M IN SOA      dns1 root.dns1 (
                                        97              ; serial
                                        1H              ; refresh
                                        5M              ; retry
                                        1W              ; expiry
                                        15M )           ; minimum


-----Original Message-----
From: David Sentelle [mailto:David.Sentelle at cnbcbank.com]
Sent: Friday, October 26, 2001 1:11 PM
To: dshield at dshield.org
Subject: [Dshield] Odd DNS name, slightly OT



I was browsing the web pages users on our network had requested, and saw a
website called inbound.registeredsite.com.  This address resolves to
64.255.255.131, which is to my knowledge a valid IP address.  

However, when I see URLs that don't answer web requests, I usually chop off
the third level part of the DNS name and replace it with 'WWW', which left
me browsing to www.registeredsite.com.  Oddly enough, this resolves to
10.0.0.1 which I am sure is a private IP.  I didn't even know that DNS
servers would resolve DNS names to private IPs.  

Registeredsite.com is owned by Network Solutions.  How would they benefit
from pointing people to a private IP address?  Does it conform to the DNS
RFCs to associate a private IP to a public DNS server?

TIA?

----------------------------------------
David Sentelle
Network Operations Specialist
Commerce National Bank
614.334.6282 Voice    614.848.8830 Fax


This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to which they are addressed.
If you have received this e-mail in error, please notify admin at cnbcbank.com
and delete it from your system.

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list