[unisog] windowsupdate.com DNS weirdness
wilsonbf at wharton.upenn.edu
Thu Sep 1 00:14:37 GMT 2005
It's a cname, an obfuscated pointer to another resource. It's done so they can spread the load across multiple servers, and in this case it has multiple levels because they're using a caching provider. I see similar, but not identical, results. Dig provides more information:
username at hostname:~> dig download.microsoft.com
; <<>> DiG 9.2.2 <<>> download.microsoft.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16292
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;download.microsoft.com. IN A
;; ANSWER SECTION:
download.microsoft.com. 1556 IN CNAME main.dl.ms.akadns.net.
main.dl.ms.akadns.net. 21 IN CNAME dom.dl.ms.akadns.net.
dom.dl.ms.akadns.net. 26 IN CNAME dl.ms.d4p.net.
dl.ms.d4p.net. 4661 IN CNAME dl.ms.georedirector.akadns.net.
dl.ms.georedirector.akadns.net. 1248 IN CNAME a767.ms.akamai.net.
a767.ms.akamai.net. 10 IN A 126.96.36.199
a767.ms.akamai.net. 10 IN A 188.8.131.52
From: unisog-bounces at lists.sans.org on behalf of Harry Hoffman
Sent: Tue 8/30/2005 4:28 PM
To: UNIversity Security Operations Group
Subject: [unisog] windowsupdate.com DNS weirdness
I won't claim DNS guru'ness but this just seems quite crazy to me... Is
anyone else seeing this, does it make sense and if so why.
Everything in me is screaming, this is just stupid... hopefully I'm right.
[hhoffman at localhost]# host download.windowsupdate.com
download.windowsupdate.com is an alias for download.windowsupdate.nsatc.net.
download.windowsupdate.nsatc.net is an alias for
download.windowsupdate.com.fp.nsatc.net is an alias for
download.windowsupdate.com.c.footprint.net has address 184.108.40.206
download.windowsupdate.com.c.footprint.net has address 220.127.116.11
download.windowsupdate.com.c.footprint.net has address 18.104.22.168
download.windowsupdate.com.c.footprint.net has address 22.214.171.124
download.windowsupdate.com.c.footprint.net has address 126.96.36.199
so, this is a alias->alias->alias->several A records?
unisog mailing list
unisog at lists.sans.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 5829 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050831/1c018e5c/attachment.bin
More information about the unisog