[bdNOG] internic.net whois output

Brian Candler brian at nsrc.org
Fri Jan 30 14:41:17 BDT 2015


On 29/01/2015 16:07, Fakrul Alam wrote:
> seems to be Ghost bug. it's only returning these kind of output for high
> profile domain like yahoo.com, google.com, gmail.com. for others seems
> ok.
No, it's nothing to do with Ghost (*)

The whois database stores records for domains (e.g. cnn.com) and also 
nameservers which those domains are delegated to (e.g. ns1.timewarner.net)

So juvenile people have realised that if they create any domain, and 
delegate it to a nameserver called e.g.
"microsoft.com.sucks.mydomain.com"
then anyone who does a whois query for microsoft.com will also see their 
nameserver listed. Very funny.

Regards,

Brian.

(*) Ghost is a bug which:
(1) Involves a client doing name to IP resolution. Note that a whois 
query does *not* do any resolution, since it's not a DNS query; it's a 
query of the registry's database using the whois protocol.
(2) The client uses the gethostbyname() call to do this resolution
(3) The name to be resolved is supplied by the attacker, e.g. as part of 
the HELO/EHLO in a SMTP connection
(4) The name is specially crafted to overflow a buffer



More information about the nog mailing list