Dan wrote in with some interesting results after a co-worker reported an unusual error. Is anyone else having similar problems/results? A dns lookup shows the NS records pointing to servers at JOMAX.NET
Christopher Carboni - Handler On Duty |
Chris 140 Posts Jul 20th 2011 |
Thread locked Subscribe |
Jul 20th 2011 1 decade ago |
The whois stuff is a known issue with the way whois for domain names works and does not indicate a problem. See http://lists.grok.org.uk/pipermail/full-disclosure/2003-December/015111.html
|
Anonymous |
Quote |
Jul 20th 2011 1 decade ago |
Your WHOIS lookup is returning a DNS Domain server address somebody registered.
It is basically, what I call a form of "WHOIS Spam" When you register a DNS server with the registrar, for example NS1.EXAMPLE.COM, a WHOIS entry is created for the nameserver. If your nameserver happens to be named NS1.blahblahblah.com.foobar.example.com then a WHOIS lookup for blahblahblah.com will find your nameserver in the WHOIS database. And nameserver addresses are displayed in priority over domain names. |
Mysid 146 Posts |
Quote |
Jul 20th 2011 1 decade ago |
If you get a result which points to jomax.net you k.ow that the DNS server is frontended by a paxfire device.
Paxfire == stealin' yer queries since 2004... maybe the bing-lawyers should give gblx a call? |
Mysid 2 Posts |
Quote |
Jul 20th 2011 1 decade ago |
This appears to be an ISP-specific configuration for a high-traffic hostname. When querying a Global Crossing DNS server, the A records for search.live.com are pointing to IPs owned by Internap and Level3, both of which provide CDN services. Based on my experience, IPs in these netblocks have long been used for content delivery for other popular hostnames. Additionally, Level3 is currently in the process of acquiring Global Crossing.
|
Mysid 1 Posts |
Quote |
Jul 20th 2011 1 decade ago |
This is Paxfire. Paxfire hijacks Yahoo, Bing, and sometimes Google, in cooperation with the ISP to act as a MitM through these proxies. This is in addition to Paxfire's "Normal" behavior of wildcarding NXDOMAINs. We generically detect this in Netalyzr ( http://netalyzr.icsi.berkeley.edu ) .
|
Mysid 2 Posts |
Quote |
Jul 20th 2011 1 decade ago |
It is Global Crossing's DNS servers, looking a little more at our Netalyzr data we see that IP being served by various global crossing resolvers but no other.
|
Mysid 2 Posts |
Quote |
Jul 20th 2011 1 decade ago |
I know this problem since 2010.
On a WindowsXP PC running tcpview from sysinternals, I saw connections to strange IPs, when I was connecting to bing (http tcp port 80) So I wrote to my hostmaster: > ----------------------------------------------- > From: Heinrich Elsigan > Sent: monday, 26. July 2010 03:32 > To: hostmaster@chello.at > Subject: DNS Problem > Dear hostmaster, > I retain via DHCP from my cabelmodem the > following name servers ... > Are there poisoned, cause when I make a > nslookup www.bing.com or www.irs.gov I get > strange IPs, that I don't get from anywhere else: > nslookup ww.bing.com. > Name: a134.g.akamai.net > Addresses: 78.128.147.42, 78.128.147.18 > Aliases: www.bing.com, > search.ms.com.edgesuite.net > > nslookup www.irs.gov. > Name: a321.g.akamai.net > Addresses: 78.128.147.26, 78.128.147.24 > Aliases: www.irs.gov, > www.edgeredirector.irs.akadns.net > > Kind Regards, Heinrich. Hostmaster didn't help me, so I talked to other networking expert guys. They mean: "Don't be paranoid, thats a cloudy solution, where every ISP directs search requests to another server, no more round robin at all, maybe they like to make statistics or ..." I answered: "Ah cool, so enduser will never know if its dns poisining or a cloud solution!" |
Mysid 2 Posts |
Quote |
Jul 20th 2011 1 decade ago |
Take a look, at the following FQDN:
www.visa.com www.f-secure.com www.trendmicro.com For example www.visa.com is mostley mapped to a294.g.akamai.net I got these IPs: 2.21.246.80, 2.21.246.79 2.20.182.9, 2.20.182.49 193.170.140.79, 193.170.140.86 See http://www.akamai.com or ask google: http://www.google.com/#q=site:akamai.net&num=100&hl=en&newwindow=1&safe=off&start=0&sa=N Regards heinrich. |
Mysid 2 Posts |
Quote |
Jul 20th 2011 1 decade ago |
Cloudy is the best way to describe the web now.
We spent the last 20 years doing away with what they now call ... the cloud! We built data centers to handle load, and made peering arrangements to various backbones to carry our traffic quickly. Now we are in effect going backwards but doing so in a very awkward way. All of these cloud providers have limitations on what and how you deploy. Next, you can add more virtual kick to your cloud in an instant. But is it your cloud? NO! It is something you share, and something that breaks out serious security threats every step of the way. You controlled your data center, but you do not control the cloud. You controlled your data but now the cloud controls your data. You secured your data, but now the cloud secures your data. You knew when something was broken in your data center and were able to offload to another machine or cluster yourself, now you have no clue when some part of your cloud malfunctions. You had everything, and now you have nothing! The next problem is security form the end-user perspective. What comes from where? Is it supposed to be that way? Can it be trusted? NO, it cannot! Cloud is a cheap way to do things, but it forfeits all of the security we have built into the Internet in one quick shot! I for one do not support anything cloud based, with perhaps the exception of video content delivery which must not have lag time or it will fail. We have enough of a hard time identifying real threats without all of these virtual crap shooters surrounding us! Soon institutions will be forced to block cloud IP ranges to stay secure, and then we will see what happens. The cloud then equals a puddle we step around. It will fail unless something changes fast. |
Al of Your Data Center 80 Posts |
Quote |
Jul 21st 2011 1 decade ago |
and I thing it is a who is spam also used by small domain sellers
|
WEB TASARIM 1 Posts |
Quote |
Jul 24th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!