[bdNOG] About google.com.bd

Kabindra Shrestha kabindra at geeks.net.np
Tue Dec 20 12:12:02 BDT 2016


It's not only google.com.bd but I can see facebook.com.bd and gmail.com.bd are also pointed to same name servers.

$ dig @surma.btcl.net.bd google.com.bd

; <<>> DiG 9.11.0-P1 <<>> @surma.btcl.net.bd google.com.bd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60555
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.bd.			IN	A

;; AUTHORITY SECTION:
google.com.bd.		86400	IN	NS	ns602.dnsserverboot.com.
google.com.bd.		86400	IN	NS	ns601.dnsserverboot.com.

;; Query time: 495 msec
;; SERVER: 203.112.194.232#53(203.112.194.232)
;; WHEN: Tue Dec 20 11:46:15 NPT 2016
;; MSG SIZE  rcvd: 99

$ dig @surma.btcl.net.bd facebook.com.bd

; <<>> DiG 9.11.0-P1 <<>> @surma.btcl.net.bd facebook.com.bd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22679
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;facebook.com.bd.		IN	A

;; AUTHORITY SECTION:
facebook.com.bd.	86400	IN	NS	ns601.dnsserverboot.com.
facebook.com.bd.	86400	IN	NS	ns602.dnsserverboot.com.

;; Query time: 683 msec
;; SERVER: 203.112.194.232#53(203.112.194.232)
;; WHEN: Tue Dec 20 11:46:28 NPT 2016
;; MSG SIZE  rcvd: 101

$ dig @surma.btcl.net.bd gmail.com.bd

; <<>> DiG 9.11.0-P1 <<>> @surma.btcl.net.bd gmail.com.bd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47589
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gmail.com.bd.			IN	A

;; AUTHORITY SECTION:
gmail.com.bd.		86400	IN	NS	ns602.dnsserverboot.com.
gmail.com.bd.		86400	IN	NS	ns601.dnsserverboot.com.

;; Query time: 482 msec
;; SERVER: 203.112.194.232#53(203.112.194.232)
;; WHEN: Tue Dec 20 11:46:35 NPT 2016
;; MSG SIZE  rcvd: 98

Someone should contact BTCL about this incident. They should try to quickly revert back to their original content. Since all .BD and *.BD slaves are carrying same content with bad NS records, I am thinking their master server/registry is compromised, so before they figure out whats the actual reason is, they
 - should close down the domain registry portal
- should filter the access to the main master server
- revert back to the original content from the backup ( PCH should be able to help with the backup content, if needed. )


Thank you.
 -kabindra


> On Dec 20, 2016, at 11:52 AM, Omar Ali <omarali113 at gmail.com> wrote:
> 
> DNS administrators can resolve the issue temporarily by adding the below lines in your named.conf of BIND
> 
> zone "google.com.bd" IN {
>     type forward;
>     forwarders {  216.239.32.10; 216.239.34.10; 216.239.36.10; 216.239.38.10; };
> };
> 
> Don't forget to restart DNS service... ;)
> 
> Regards,
> Omar
> 
> 
> 
> On Tue, Dec 20, 2016 at 12:01 PM, Tanvir Tuhin <tanvir233 at gmail.com> wrote:
> Hi
> 
> Is it Google site Hacked or BTCL DNS hacked !!!
> 
> On Tue, Dec 20, 2016 at 11:53 AM, Farhad Ahmed <farhad.ctg at gmail.com> wrote:
> Hi ,
> 
> Also getting wrong DNS IP for google.com.bd.
> 
> Regards,
> Farhad
> 
> On Tue, Dec 20, 2016 at 11:49 AM, Farhad Ahmed <farhad.ctg at gmail.com> wrote:
> Hi  yes ,
> 
> we are also getting this site . It seems google.com.bd is hacked.
> <hacked.png>
> 
> 
> 
> On Tue, Dec 20, 2016 at 11:33 AM, Omar Ali <omarali113 at gmail.com> wrote:
> Dear,
> 
> Please someone help BTCL to fix NS record to actual NS
> 
> <image.png>
> 
> Regards,
> Omar
> 
> _______________________________________________
> nog mailing list
> nog at bdnog.org
> http://mailman.bdnog.org/mailman/listinfo/nog
> 
> 
> 
> 
> --
> Regards,
> Farhad Ahmed
> Infrastructure Team Lead
> Network and Security
> Infrastructure Management | Technology | Accenture
> Mobile: +8801711082118
> Email: farhad.ahmed at accenture.com
> farhad.ctg at gmail.com
> www.accenture.com
> 
> 
> 
> --
> Regards,
> Farhad Ahmed
> Infrastructure Team Lead
> Network and Security
> Infrastructure Management | Technology | Accenture
> Mobile: +8801711082118
> Email: farhad.ahmed at accenture.com
> farhad.ctg at gmail.com
> www.accenture.com
> 
> _______________________________________________
> nog mailing list
> nog at bdnog.org
> http://mailman.bdnog.org/mailman/listinfo/nog
> 
> 
> 
> 
> --
> Thanks and rgds.
> 
> Md Tanvir Ahmed Tuhin
> 
> 
> _______________________________________________
> nog mailing list
> nog at bdnog.org
> http://mailman.bdnog.org/mailman/listinfo/nog

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.bdnog.org/pipermail/nog/attachments/20161220/1bc56805/attachment.pgp>


More information about the nog mailing list