[bdNOG] NXDOMAIN and associated issue at BDNOG event places in GS, Sreemongal

Anurag Bhatia me at anuragbhatia.com
Fri Nov 13 06:16:07 BDT 2015 

OK - I looked out a bit.


It seems to be a known backdoor in Microtik. Likely event hotel is running
a Microtik which has this backdoor.


http://www.r00t.cz/Misc/MikrotikBackdoor



This results in behavior where NXDOMAIN instead of giving NXDOMAIN, gives
NOERROR and a A record towards 218.93.250.18.


Do we have IT folks from event hotel on mailing list? :)




On Wed, Nov 11, 2015 at 7:33 PM, Anurag Bhatia <me at anuragbhatia.com> wrote:

> Noticed weird NXDOMAIN issue at bdNOG4 event place in Sreemongal.
>
>
>
>
>
> My system’s DNS servers:
>
> *nameserver 8.8.8.8*
> *nameserver 220.247.160.5*
> *nameserver 119.18.150.2*
>
>
>
>
> dig asdfadffwedfqwefdweqdf.sdasdasd a
>
> ; <<>> DiG 9.8.3-P1 <<>> asdfadffwedfqwefdweqdf.sdasdasd a
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24775
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;asdfadffwedfqwefdweqdf.sdasdasd. IN A
>
> ;; ANSWER SECTION:
> asdfadffwedfqwefdweqdf.sdasdasd. 60 IN A 218.93.250.18
>
> ;; Query time: 147 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Nov 11 19:26:41 2015
> ;; MSG SIZE  rcvd: 65
>
>
>
>
>
> 218.93.250.18 belongs to AS4134.
>
>
>
> Overall it seems like all NXDOMAIN queries are being hijacked no matter
> whatever DNS server I send query to.
>
>
> dig @208.67.222.222 asddwedqwdqwd.qwdqwdqwd
>
> ; <<>> DiG 9.8.3-P1 <<>> @208.67.222.222 asddwedqwdqwd.qwdqwdqwd
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60497
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;asddwedqwdqwd.qwdqwdqwd. IN A
>
> ;; ANSWER SECTION:
> asddwedqwdqwd.qwdqwdqwd. 60 IN A 218.93.250.18
>
> ;; Query time: 489 msec
> ;; SERVER: 208.67.222.222#53(208.67.222.222)
> ;; WHEN: Wed Nov 11 19:27:54 2015
> ;; MSG SIZE  rcvd: 57
>
>
>
>
>
>
> Thanks.
>
>
>
>
> --
>
>
> Anurag Bhatia
> anuragbhatia.com
>
>
> PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2
>



-- 


Anurag Bhatia
anuragbhatia.com


PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bdnog.org/pipermail/nog/attachments/20151113/079b825c/attachment.html>

More information about the nog mailing list