[Dshield] Question about some DNS issues and IP 81.29.73.67

Stef stefmit at gmail.com
Wed Dec 21 05:51:37 GMT 2005


Starting today around 12:00PM my DNS server started resolving a few
FQDN names, of various hostst on the 'net, to one unique IP:
81.29.73.67 - not many, but enough to warrant questioning. Same names
get properly resolved to the IPs they belong to, using other name
servers. One of those names is www.hoovers.com, for example, which -
using my name server - gets resolved (from cache) to 81.29.73.67,
while all other name servers report it at: 66.179.85.222.

Here is what I was able to dig (no pun intended ;)) up, using a
Comcast name server (not mine!), about the broken IP:

pwrbk:~ scm$ dig -x 81.29.73.67 ns

; <<>> DiG 9.2.2 <<>> -x 81.29.73.67 ns
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54085
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;67.73.29.81.in-addr.arpa.      IN      NS

;; AUTHORITY SECTION:
73.29.81.in-addr.arpa.  900     IN      SOA     ns.asuk.net.
hostmaster.asuk.com. 2005122103 10800 3600 432000 38400

;; Query time: 247 msec
;; SERVER: 68.87.66.196#53(68.87.66.196)
;; WHEN: Tue Dec 20 23:28:57 2005
;; MSG SIZE  rcvd: 108

On the broken DNS server one of the domains wrongfully pointing to the
originally mentioned address comes back, after a dig ns query, with
two names servers SOA for their FQDNs (the ones resolving to
81.29.73.67) to:

x1.streamline.net
and
x2.streamline.net

both of the above resolving, themselves, to - surprise (?!?) - the
same IP as the one reported for my broken FQDNs: 81.29.73.67.

Anybody having any idea how this could happen? I was tinking of some
poisoning earlier in the day, of my DNS server, but why so
preferential, and at such a small scale (only a few FQDNs, totally
disparate) ...

TIA,
Stef



More information about the list mailing list