[nSLUG] EastLink hijacking DNS

Greg Estabrooks greg at phaze.org
Fri Nov 6 08:49:40 AST 2009


> Really? Is Eastlink's DNS returning something for, say, "host 
> badnname.dns.com. 24.222.0.94" as well as "host 
> baddnsname.dns.com.eastlink.ca 24.222.0.94"?
>
> Are you getting assigned different DNS servers by DHCP, perhaps? I'm 
> assigned 24.222.0.94 and 24.222.0.95 and don't see this myself from either 
>   

 It looks to me like they re only doing it on lookups of A records that 
have a www in the front of the hostname.
Disgusting practice.


08:45:08.028531 IP 24.222.xxx.yyy.2048 > 24.222.0.94.53:  12852+ A? 
www.this.host.doesnt.exist.phaze.org. (54)
08:45:08.039149 IP 24.222.0.94.53 > 24.222.xxx.yyy.2048:  12852 1/0/0 A 
199.101.28.10 (70)


08:46:00.498701 IP 24.222.xxx.yyy.2048 > 24.222.0.94.53:  53558+ A? 
this.host.doesnt.exist.phaze.org. (50)
08:46:00.539576 IP 24.222.0.94.53 > 24.222.xxx.yyy.2048:  53558 NXDomain 
0/1/0 (95)


08:46:25.869118 IP 24.222.xxx.yyy.2048 > 24.222.0.94.53:  37887+ MX? 
this.host.doesnt.exist.phaze.org (60)
08:46:25.876904 IP 24.222.0.94.53 > 24.222.xxx.yyy.2048:  37887 NXDomain 
0/1/0 (105)






More information about the nSLUG mailing list