[unisog] windowsupdate.com DNS weirdness

Wilson, Barry wilsonbf at wharton.upenn.edu
Thu Sep 1 00:14:37 GMT 2005


It's a cname, an obfuscated pointer to another resource. It's done so they can spread the load across multiple servers, and in this case it has multiple levels because they're using a caching provider. I see similar, but not identical, results. Dig provides more information:
username at hostname:~> dig download.microsoft.com

; <<>> DiG 9.2.2 <<>> download.microsoft.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16292
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;download.microsoft.com.                IN      A

;; ANSWER SECTION:
download.microsoft.com. 1556    IN      CNAME   main.dl.ms.akadns.net.
main.dl.ms.akadns.net.  21      IN      CNAME   dom.dl.ms.akadns.net.
dom.dl.ms.akadns.net.   26      IN      CNAME   dl.ms.d4p.net.
dl.ms.d4p.net.          4661    IN      CNAME   dl.ms.georedirector.akadns.net.
dl.ms.georedirector.akadns.net. 1248 IN CNAME   a767.ms.akamai.net.
a767.ms.akamai.net.     10      IN      A       64.158.176.217
a767.ms.akamai.net.     10      IN      A       64.158.176.214
Regards,
Barry

________________________________

From: unisog-bounces at lists.sans.org on behalf of Harry Hoffman
Sent: Tue 8/30/2005 4:28 PM
To: UNIversity Security Operations Group
Subject: [unisog] windowsupdate.com DNS weirdness



Ok,

I won't claim DNS guru'ness but this just seems quite crazy to me... Is
anyone else seeing this, does it make sense and if so why.

Everything in me is screaming, this is just stupid... hopefully I'm right.


[hhoffman at localhost]# host download.windowsupdate.com
download.windowsupdate.com is an alias for download.windowsupdate.nsatc.net.
download.windowsupdate.nsatc.net is an alias for
download.windowsupdate.com.fp.nsatc.net.
download.windowsupdate.com.fp.nsatc.net is an alias for
download.windowsupdate.com.c.footprint.net.
download.windowsupdate.com.c.footprint.net has address 209.245.20.93
download.windowsupdate.com.c.footprint.net has address 63.236.48.222
download.windowsupdate.com.c.footprint.net has address 208.172.128.253
download.windowsupdate.com.c.footprint.net has address 208.172.64.254
download.windowsupdate.com.c.footprint.net has address 67.72.8.94


so, this is a alias->alias->alias->several A records?


Thanks,
Harry
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 5829 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050831/1c018e5c/attachment.bin


More information about the unisog mailing list