[bdNOG] About google.com.bd

• Previous message: [bdNOG] About google.com.bd
• Next message: [bdNOG] About google.com.bd
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Google is probably waiting for stability.


On Tue, 20 Dec 2016 at 18:11 Md. Anisuzzaman Bhuiyan <anisuzzamanb at yahoo.com>
wrote:

> Seems not resolved yet. We are getting response from google.com instead
> of google.com.bd
>
>
>
> On Tuesday, December 20, 2016 5:31 PM, Kabindra Shrestha <
> kabindra at geeks.net.np> wrote:
>
>
>
> > On Dec 20, 2016, at 4:57 PM, Sumon Ahmed Sabir <sumon at fiberathome.net>
> wrote:
> >
> >
> > Got the actual fact. The WebFront end of the .BD was compromised. So
> hacker changed some DNS record via that.
> > At this moment it seems fixed.
>
> That's what I thought.
>
> Great work Sumon da.
>
> Thanks.
> -kabindra
>
>
> >
> >
> > -sumon
> >
> > Sumons-MacBook-Air:~ sumon$ host -vt ns google.com.bd dns.bd
> >
> > Trying "google.com.bd"
> >
> > Using domain server:
> >
> > Name: dns.bd
> >
> > Address: 2407:5000:88:5::3#53
> >
> > Aliases:
> >
> >
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48765
> >
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
> >
> >
> >
> > ;; QUESTION SECTION:
> >
> > ;google.com.bd.    IN    NS
> >
> >
> >
> > ;; AUTHORITY SECTION:
> >
> > google.com.bd.    86400    IN    NS    ns4.google.com.
> >
> > google.com.bd.    86400    IN    NS    ns2.google.com.
> >
> > google.com.bd.    86400    IN    NS    ns3.google.com.
> >
> >
> >
> > Received 95 bytes from 2407:5000:88:5::3#53 in 1003 ms
> >
> > Sumons-MacBook-Air:~ sumon$ host -vt ns google.com.bd surma.btcl.net.bd
> >
> > Trying "google.com.bd"
> >
> > Using domain server:
> >
> > Name: surma.btcl.net.bd
> >
> > Address: 203.112.194.232#53
> >
> > Aliases:
> >
> >
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14716
> >
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
> >
> >
> >
> > ;; QUESTION SECTION:
> >
> > ;google.com.bd.    IN    NS
> >
> >
> >
> > ;; AUTHORITY SECTION:
> >
> > google.com.bd.    86400    IN    NS    ns4.google.com.
> >
> > google.com.bd.    86400    IN    NS    ns2.google.com.
> >
> > google.com.bd.    86400    IN    NS    ns3.google.com.
> >
> >
> >
> > Received 95 bytes from 203.112.194.232#53 in 192 ms
> >
> > Sumons-MacBook-Air:~ sumon$ host -vt ns google.com.bd surma.btcl.net.bd
> >
> > Trying "google.com.bd"
> >
> > Using domain server:
> >
> > Name: surma.btcl.net.bd
> >
> > Address: 203.112.194.232#53
> >
> > Aliases:
> >
> >
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50416
> >
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
> >
> >
> >
> > ;; QUESTION SECTION:
> >
> > ;google.com.bd.    IN    NS
> >
> >
> >
> > ;; AUTHORITY SECTION:
> >
> > google.com.bd.    86400    IN    NS    ns4.google.com.
> >
> > google.com.bd.    86400    IN    NS    ns2.google.com.
> >
> > google.com.bd.    86400    IN    NS    ns3.google.com.
> >
> >
> >
> > Received 95 bytes from 203.112.194.232#53 in 214 ms
> >
> >
> > On Tue, 20 Dec 2016 at 16:13 Kabindra Shrestha <kabindra at geeks.net.np>
> wrote:
> > Wow, they manage to change it again.
> >
> > Like I mentioned in my previous mail to the list, I strongly believe it
> is their master server or registry portal that is compromised and they
> should temporarily disable their domain registry portal to further analyse
> into it, along with filtering the access.
> > They seem to have updated the filter but they have also updated DNS
> filter and I can confirm (since we also slave com.bd) we no longer are
> able to do the zone transfer, so that is the reason that you are not seeing
> two of the servers with fake NS list.
> >
> > $ dig @x.x.x.x axfr com.bd
> >
> > ; <<>> DiG 9.9.9-P3 <<>> @ x.x.x.x axfr com.bd
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; connection timed out; no servers could be reached
> >
> > If you see, the nameserver for .COM.BD are now carrying varying serials.
> >
> > $ dig +nssearch com.bd
> > SOA dns.bd. root.dns.bd. 2016122031 14400 3600 604800 86400 from server
> 204.61.216.108 in 3 ms.
> > SOA dns.bd. root.dns.bd. 2016122031 14400 3600 604800 86400 from server
> 209.58.24.3 in 376 ms.
> > SOA dns.bd. root.dns.bd. 2016122036 14400 3600 604800 86400 from server
> 203.112.194.231 in 386 ms.
> > SOA dns.bd. root.dns.bd. 2016122036 14400 3600 604800 86400 from server
> 203.112.194.232 in 550 ms
> >
> >  for n in `dig ns com.bd +short`; do echo $n; dig @$n soa com.bd
> +short; echo ; done
> > dns.bd.
> > dns.bd. root.dns.bd. 2016122031 14400 3600 604800 86400
> >
> > bd-ns.anycast.pch.net.
> > dns.bd. root.dns.bd. 2016122031 14400 3600 604800 86400
> >
> > surma.btcl.net.bd.
> > dns.bd. root.dns.bd. 2016122035 14400 3600 604800 86400
> >
> > jamuna.btcl.net.bd.
> > dns.bd. root.dns.bd. 2016122035 14400 3600 604800 86400
> >
> >
> > Only reverting back to the original content will not help solve this
> problem, they have to analyse and figure out the loophole.
> >
> > Thanks.
> >  -kabindra
> >
> >
> > > On Dec 20, 2016, at 3:01 PM, Brian Candler <brian at nsrc.org> wrote:
> > >
> > > On 20/12/2016 05:33, Omar Ali wrote:
> > >> Please someone help BTCL to fix NS record to actual NS
> > >
> > > The replies from the BD nameservers are inconsistent:
> > >
> > > $ dig +norec @surma.btcl.net.bd. google.com.bd. a | grep NS
> > > ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
> > > google.com.bd.        86400    IN    NS    ns2.phpvibe.net.
> > > google.com.bd.        86400    IN    NS    ns1.phpvibe.net.
> > >
> > > $ dig +norec @jamuna.btcl.net.bd. google.com.bd. a | grep NS
> > > ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
> > > google.com.bd.        86400    IN    NS    ns2.phpvibe.net.
> > > google.com.bd.        86400    IN    NS    ns1.phpvibe.net.
> > >
> > > $ dig +norec @dns.bd. google.com.bd. a | grep NS
> > > ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
> > > google.com.bd.        86400    IN    NS    ns2.google.com.
> > > google.com.bd.        86400    IN    NS    ns3.google.com.
> > > google.com.bd.        86400    IN    NS    ns4.google.com.
> > >
> > > I should also check whether the addresses of the nameservers
> themselves have been poisoned. Here (UK) I get:
> > >
> > > $ dig +short surma.btcl.net.bd
> > > 203.112.194.232
> > > $ dig +short jamuna.btcl.net.bd
> > > 203.112.194.231
> > > $ dig +short dns.bd
> > > 209.58.24.3
> > >
> > > That looks correct - at least it agrees with the glue records returned
> by the root nameservers:
> > >
> > > ;; ADDITIONAL SECTION:
> > > dns.bd.            172800    IN    A    209.58.24.3
> > > surma.btcl.net.bd.    172800    IN    A    203.112.194.232
> > > jamuna.btcl.net.bd.    172800    IN    A    203.112.194.231
> > >
> > > So the most likely thing is that two of those three bd. nameservers
> have been attacked somehow  It doesn't look like cache poisoning; they are
> giving authoritative answers pointing to ns{1,2}.phpvibe.net
> > >
> > > Regards,
> > >
> > > Brian.
> > > _______________________________________________
> > > nog mailing list
> > > nog at bdnog.org
> > > http://mailman.bdnog.org/mailman/listinfo/nog
> >
> > _______________________________________________
> > nog mailing list
> > nog at bdnog.org
> > http://mailman.bdnog.org/mailman/listinfo/nog
>
> _______________________________________________
> nog mailing list
> nog at bdnog.org
> http://mailman.bdnog.org/mailman/listinfo/nog
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bdnog.org/pipermail/nog/attachments/20161220/285c8f84/attachment-0001.html>

• Previous message: [bdNOG] About google.com.bd
• Next message: [bdNOG] About google.com.bd
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]