[unisog] Honeypot in Netherlands mirroring entire DNSstructures for some .edu's

Karyn Williams karyn at calarts.edu
Thu Nov 16 22:42:45 GMT 2006


At 04:07 PM 11/16/06 -0500, Bill Owens wrote:
>On Thu, Nov 16, 2006 at 01:59:11PM -0600, John C. A. Bambenek wrote:
>> All-
>> 
>> We just discovered that there is a machine in the Netherlands that is
>> apparently running a honeypot and is mirroring entire DNS structures for
>> some .edu domains.
>
>The zone consists of wildcards:
>
>[cookiemonster:~] owens% dig +noall +answer thisisnotarealname.uiuc.eu
>thisisnotarealname.uiuc.eu. 86400 IN    A       212.79.243.140
>[cookiemonster:~] owens% dig +noall +answer thisisnotarealname.uiuc.eu mx
>thisisnotarealname.uiuc.eu. 86400 IN    MX      5 mail.verkeerspark.nl.
>
>
>I have no idea whether this activity is malicious or not, but it isn't
'mirroring' domains, only registering them under .eu with the wildcards
above (and possibly others).
>
>Bill.

Is this like Verisign's wildcard deal ? The .eu root must be
directing/referring queries to this dns server instead of returning an
NXDOMAIN error. Otherwise no client would see a random dns server. 
-- 

Karyn Williams
Network Services Manager
California Institute of the Arts
karyn at calarts.edu
http://www.calarts.edu/network


More information about the unisog mailing list