[unisog] Honeypot in Netherlands mirroring entire DNSstructures for some .edu's

Karyn Williams karyn at calarts.edu
Thu Nov 16 22:42:45 GMT 2006

At 04:07 PM 11/16/06 -0500, Bill Owens wrote:
>On Thu, Nov 16, 2006 at 01:59:11PM -0600, John C. A. Bambenek wrote:
>> All-
>> We just discovered that there is a machine in the Netherlands that is
>> apparently running a honeypot and is mirroring entire DNS structures for
>> some .edu domains.
>The zone consists of wildcards:
>[cookiemonster:~] owens% dig +noall +answer thisisnotarealname.uiuc.eu
>thisisnotarealname.uiuc.eu. 86400 IN    A
>[cookiemonster:~] owens% dig +noall +answer thisisnotarealname.uiuc.eu mx
>thisisnotarealname.uiuc.eu. 86400 IN    MX      5 mail.verkeerspark.nl.
>I have no idea whether this activity is malicious or not, but it isn't
'mirroring' domains, only registering them under .eu with the wildcards
above (and possibly others).

Is this like Verisign's wildcard deal ? The .eu root must be
directing/referring queries to this dns server instead of returning an
NXDOMAIN error. Otherwise no client would see a random dns server. 

Karyn Williams
Network Services Manager
California Institute of the Arts
karyn at calarts.edu

More information about the unisog mailing list