[bdNOG] About google.com.bd
Paul S.
contact at winterei.se
Tue Dec 20 19:25:53 BDT 2016
Custodianship of the *.bd roots should be revoked from BTCL and assigned
to someone who actually knows what they're doing, this is one show of
incompetency after another.
Terrible shame.
On 12/20/2016 09:48 PM, Imtiaz Rahman wrote:
> Getting different output for NS record.
>
> imtiaz at ip-172-31-21-211:~$*host -vt ns google.com.bd
> <http://google.com.bd> 8.8.8.8*
> Trying "google.com.bd <http://google.com.bd>"
> Using domain server:
> Name: 8.8.8.8
> Address: 8.8.8.8#53
> Aliases:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45935
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;google.com.bd <http://google.com.bd>. IN NS
>
> ;; ANSWER SECTION:
> google.com.bd <http://google.com.bd>. 86399 IN NS
> ns3.google.com <http://ns3.google.com>.
> google.com.bd <http://google.com.bd>. 86399 IN NS
> ns1.google.com <http://ns1.google.com>.
> google.com.bd <http://google.com.bd>. 86399 IN NS
> ns2.google.com <http://ns2.google.com>.
> google.com.bd <http://google.com.bd>. 86399 IN NS
> ns4.google.com <http://ns4.google.com>.
>
> Received 113 bytes from 8.8.8.8#53 in 5 ms
>
>
> imtiaz at ip-172-31-21-211:~$ *host -vt ns google.com.bd
> <http://google.com.bd> 8.8.8.8*
> Trying "google.com.bd <http://google.com.bd>"
> Using domain server:
> Name: 8.8.8.8
> Address: 8.8.8.8#53
> Aliases:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37848
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;google.com.bd <http://google.com.bd>. IN NS
>
> ;; ANSWER SECTION:
> google.com.bd <http://google.com.bd>. 51126 IN NS
> ns601.dnsserverboot.com <http://ns601.dnsserverboot.com>.
> google.com.bd <http://google.com.bd>. 51126 IN NS
> ns602.dnsserverboot.com <http://ns602.dnsserverboot.com>.
>
> Received 88 bytes from 8.8.8.8#53 in 4 ms
> imtiaz at ip-172-31-21-211:~$
>
> On Tue, Dec 20, 2016 at 6:17 PM, Sumon Ahmed Sabir
> <sumon at fiberathome.net <mailto:sumon at fiberathome.net>> wrote:
>
>
>
> Google is probably waiting for stability.
>
>
> On Tue, 20 Dec 2016 at 18:11 Md. Anisuzzaman Bhuiyan
> <anisuzzamanb at yahoo.com <mailto:anisuzzamanb at yahoo.com>> wrote:
>
> Seems not resolved yet. We are getting response from
> google.com <http://google.com> instead of google.com.bd
> <http://google.com.bd>
>
>
>
> On Tuesday, December 20, 2016 5:31 PM, Kabindra Shrestha
> <kabindra at geeks.net.np <mailto:kabindra at geeks.net.np>> wrote:
>
>
>
> > On Dec 20, 2016, at 4:57 PM, Sumon Ahmed Sabir
> <sumon at fiberathome.net <mailto:sumon at fiberathome.net>> wrote:
> >
> >
> > Got the actual fact. The WebFront end of the .BD was
> compromised. So hacker changed some DNS record via that.
> > At this moment it seems fixed.
>
> That's what I thought.
>
> Great work Sumon da.
>
> Thanks.
> -kabindra
>
>
> >
> >
> > -sumon
> >
> > Sumons-MacBook-Air:~ sumon$ host -vt ns google.com.bd
> <http://google.com.bd> dns.bd <http://dns.bd>
> >
> > Trying "google.com.bd <http://google.com.bd>"
> >
> > Using domain server:
> >
> > Name: dns.bd <http://dns.bd>
> >
> > Address: 2407:5000:88:5::3#53
> >
> > Aliases:
> >
> >
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48765
> >
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3,
> ADDITIONAL: 0
> >
> >
> >
> > ;; QUESTION SECTION:
> >
> > ;google.com.bd <http://google.com.bd>. IN NS
> >
> >
> >
> > ;; AUTHORITY SECTION:
> >
> > google.com.bd <http://google.com.bd>. 86400 IN NS
> ns4.google.com <http://ns4.google.com>.
> >
> > google.com.bd <http://google.com.bd>. 86400 IN NS
> ns2.google.com <http://ns2.google.com>.
> >
> > google.com.bd <http://google.com.bd>. 86400 IN NS
> ns3.google.com <http://ns3.google.com>.
> >
> >
> >
> > Received 95 bytes from 2407:5000:88:5::3#53 in 1003 ms
> >
> > Sumons-MacBook-Air:~ sumon$ host -vt ns google.com.bd
> <http://google.com.bd> surma.btcl.net.bd
> <http://surma.btcl.net.bd>
> >
> > Trying "google.com.bd <http://google.com.bd>"
> >
> > Using domain server:
> >
> > Name: surma.btcl.net.bd <http://surma.btcl.net.bd>
> >
> > Address: 203.112.194.232#53
> >
> > Aliases:
> >
> >
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14716
> >
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3,
> ADDITIONAL: 0
> >
> >
> >
> > ;; QUESTION SECTION:
> >
> > ;google.com.bd <http://google.com.bd>. IN NS
> >
> >
> >
> > ;; AUTHORITY SECTION:
> >
> > google.com.bd <http://google.com.bd>. 86400 IN NS
> ns4.google.com <http://ns4.google.com>.
> >
> > google.com.bd <http://google.com.bd>. 86400 IN NS
> ns2.google.com <http://ns2.google.com>.
> >
> > google.com.bd <http://google.com.bd>. 86400 IN NS
> ns3.google.com <http://ns3.google.com>.
> >
> >
> >
> > Received 95 bytes from 203.112.194.232#53 in 192 ms
> >
> > Sumons-MacBook-Air:~ sumon$ host -vt ns google.com.bd
> <http://google.com.bd> surma.btcl.net.bd
> <http://surma.btcl.net.bd>
> >
> > Trying "google.com.bd <http://google.com.bd>"
> >
> > Using domain server:
> >
> > Name: surma.btcl.net.bd <http://surma.btcl.net.bd>
> >
> > Address: 203.112.194.232#53
> >
> > Aliases:
> >
> >
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50416
> >
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3,
> ADDITIONAL: 0
> >
> >
> >
> > ;; QUESTION SECTION:
> >
> > ;google.com.bd <http://google.com.bd>. IN NS
> >
> >
> >
> > ;; AUTHORITY SECTION:
> >
> > google.com.bd <http://google.com.bd>. 86400 IN NS
> ns4.google.com <http://ns4.google.com>.
> >
> > google.com.bd <http://google.com.bd>. 86400 IN NS
> ns2.google.com <http://ns2.google.com>.
> >
> > google.com.bd <http://google.com.bd>. 86400 IN NS
> ns3.google.com <http://ns3.google.com>.
> >
> >
> >
> > Received 95 bytes from 203.112.194.232#53 in 214 ms
> >
> >
> > On Tue, 20 Dec 2016 at 16:13 Kabindra Shrestha
> <kabindra at geeks.net.np <mailto:kabindra at geeks.net.np>> wrote:
> > Wow, they manage to change it again.
> >
> > Like I mentioned in my previous mail to the list, I strongly
> believe it is their master server or registry portal that is
> compromised and they should temporarily disable their domain
> registry portal to further analyse into it, along with
> filtering the access.
> > They seem to have updated the filter but they have also
> updated DNS filter and I can confirm (since we also slave
> com.bd <http://com.bd>) we no longer are able to do the zone
> transfer, so that is the reason that you are not seeing two of
> the servers with fake NS list.
> >
> > $ dig @x.x.x.x axfr com.bd <http://com.bd>
> >
> > ; <<>> DiG 9.9.9-P3 <<>> @ x.x.x.x axfr com.bd <http://com.bd>
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; connection timed out; no servers could be reached
> >
> > If you see, the nameserver for .COM.BD <http://COM.BD> are
> now carrying varying serials.
> >
> > $ dig +nssearch com.bd <http://com.bd>
> > SOA dns.bd <http://dns.bd>. root.dns.bd
> <http://root.dns.bd>. 2016122031 14400 3600 604800 86400 from
> server 204.61.216.108 in 3 ms.
> > SOA dns.bd <http://dns.bd>. root.dns.bd
> <http://root.dns.bd>. 2016122031 14400 3600 604800 86400 from
> server 209.58.24.3 in 376 ms.
> > SOA dns.bd <http://dns.bd>. root.dns.bd
> <http://root.dns.bd>. 2016122036 14400 3600 604800 86400 from
> server 203.112.194.231 in 386 ms.
> > SOA dns.bd <http://dns.bd>. root.dns.bd
> <http://root.dns.bd>. 2016122036 14400 3600 604800 86400 from
> server 203.112.194.232 in 550 ms
> >
> > for n in `dig ns com.bd <http://com.bd> +short`; do echo
> $n; dig @$n soa com.bd <http://com.bd> +short; echo ; done
> > dns.bd <http://dns.bd>.
> > dns.bd <http://dns.bd>. root.dns.bd <http://root.dns.bd>.
> 2016122031 14400 3600 604800 86400
> >
> > bd-ns.anycast.pch.net <http://bd-ns.anycast.pch.net>.
> > dns.bd <http://dns.bd>. root.dns.bd <http://root.dns.bd>.
> 2016122031 14400 3600 604800 86400
> >
> > surma.btcl.net.bd <http://surma.btcl.net.bd>.
> > dns.bd <http://dns.bd>. root.dns.bd <http://root.dns.bd>.
> 2016122035 14400 3600 604800 86400
> >
> > jamuna.btcl.net.bd <http://jamuna.btcl.net.bd>.
> > dns.bd <http://dns.bd>. root.dns.bd <http://root.dns.bd>.
> 2016122035 14400 3600 604800 86400
> >
> >
> > Only reverting back to the original content will not help
> solve this problem, they have to analyse and figure out the
> loophole.
> >
> > Thanks.
> > -kabindra
> >
> >
> > > On Dec 20, 2016, at 3:01 PM, Brian Candler <brian at nsrc.org
> <mailto:brian at nsrc.org>> wrote:
> > >
> > > On 20/12/2016 05:33, Omar Ali wrote:
> > >> Please someone help BTCL to fix NS record to actual NS
> > >
> > > The replies from the BD nameservers are inconsistent:
> > >
> > > $ dig +norec @surma.btcl.net.bd
> <http://surma.btcl.net.bd>. google.com.bd
> <http://google.com.bd>. a | grep NS
> > > ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
> > > google.com.bd <http://google.com.bd>. 86400 IN
> NS ns2.phpvibe.net <http://ns2.phpvibe.net>.
> > > google.com.bd <http://google.com.bd>. 86400 IN
> NS ns1.phpvibe.net <http://ns1.phpvibe.net>.
> > >
> > > $ dig +norec @jamuna.btcl.net.bd
> <http://jamuna.btcl.net.bd>. google.com.bd
> <http://google.com.bd>. a | grep NS
> > > ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
> > > google.com.bd <http://google.com.bd>. 86400 IN
> NS ns2.phpvibe.net <http://ns2.phpvibe.net>.
> > > google.com.bd <http://google.com.bd>. 86400 IN
> NS ns1.phpvibe.net <http://ns1.phpvibe.net>.
> > >
> > > $ dig +norec @dns.bd <http://dns.bd>. google.com.bd
> <http://google.com.bd>. a | grep NS
> > > ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
> > > google.com.bd <http://google.com.bd>. 86400 IN
> NS ns2.google.com <http://ns2.google.com>.
> > > google.com.bd <http://google.com.bd>. 86400 IN
> NS ns3.google.com <http://ns3.google.com>.
> > > google.com.bd <http://google.com.bd>. 86400 IN
> NS ns4.google.com <http://ns4.google.com>.
> > >
> > > I should also check whether the addresses of the
> nameservers themselves have been poisoned. Here (UK) I get:
> > >
> > > $ dig +short surma.btcl.net.bd <http://surma.btcl.net.bd>
> > > 203.112.194.232
> > > $ dig +short jamuna.btcl.net.bd <http://jamuna.btcl.net.bd>
> > > 203.112.194.231
> > > $ dig +short dns.bd <http://dns.bd>
> > > 209.58.24.3
> > >
> > > That looks correct - at least it agrees with the glue
> records returned by the root nameservers:
> > >
> > > ;; ADDITIONAL SECTION:
> > > dns.bd <http://dns.bd>. 172800 IN A 209.58.24.3
> > > surma.btcl.net.bd <http://surma.btcl.net.bd>. 172800
> IN A 203.112.194.232
> > > jamuna.btcl.net.bd <http://jamuna.btcl.net.bd>. 172800
> IN A 203.112.194.231
> > >
> > > So the most likely thing is that two of those three bd.
> nameservers have been attacked somehow It doesn't look like
> cache poisoning; they are giving authoritative answers
> pointing to ns{1,2}.phpvibe.net <http://phpvibe.net>
> > >
> > > Regards,
> > >
> > > Brian.
> > > _______________________________________________
> > > nog mailing list
> > > nog at bdnog.org <mailto:nog at bdnog.org>
> > > http://mailman.bdnog.org/mailman/listinfo/nog
> <http://mailman.bdnog.org/mailman/listinfo/nog>
> >
> > _______________________________________________
> > nog mailing list
> > nog at bdnog.org <mailto:nog at bdnog.org>
> > http://mailman.bdnog.org/mailman/listinfo/nog
> <http://mailman.bdnog.org/mailman/listinfo/nog>
>
> _______________________________________________
> nog mailing list
> nog at bdnog.org <mailto:nog at bdnog.org>
> http://mailman.bdnog.org/mailman/listinfo/nog
> <http://mailman.bdnog.org/mailman/listinfo/nog>
>
>
>
> _______________________________________________
> nog mailing list
> nog at bdnog.org <mailto:nog at bdnog.org>
> http://mailman.bdnog.org/mailman/listinfo/nog
> <http://mailman.bdnog.org/mailman/listinfo/nog>
>
>
>
>
> _______________________________________________
> nog mailing list
> nog at bdnog.org
> http://mailman.bdnog.org/mailman/listinfo/nog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bdnog.org/pipermail/nog/attachments/20161220/5d9f8437/attachment-0001.html>
More information about the nog
mailing list