[bdNOG] About google.com.bd

Paul S. contact at winterei.se
Tue Dec 20 19:25:53 BDT 2016


Custodianship of the *.bd roots should be revoked from BTCL and assigned 
to someone who actually knows what they're doing, this is one show of 
incompetency after another.

Terrible shame.

On 12/20/2016 09:48 PM, Imtiaz Rahman wrote:
> Getting different output for NS record.
>
> imtiaz at ip-172-31-21-211:~$*host -vt ns google.com.bd 
> <http://google.com.bd> 8.8.8.8*
> Trying "google.com.bd <http://google.com.bd>"
> Using domain server:
> Name: 8.8.8.8
> Address: 8.8.8.8#53
> Aliases:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45935
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;google.com.bd <http://google.com.bd>.                 IN      NS
>
> ;; ANSWER SECTION:
> google.com.bd <http://google.com.bd>.          86399   IN      NS 
> ns3.google.com <http://ns3.google.com>.
> google.com.bd <http://google.com.bd>.          86399   IN      NS 
> ns1.google.com <http://ns1.google.com>.
> google.com.bd <http://google.com.bd>.          86399   IN      NS 
> ns2.google.com <http://ns2.google.com>.
> google.com.bd <http://google.com.bd>.          86399   IN      NS 
> ns4.google.com <http://ns4.google.com>.
>
> Received 113 bytes from 8.8.8.8#53 in 5 ms
>
>
> imtiaz at ip-172-31-21-211:~$ *host -vt ns google.com.bd 
> <http://google.com.bd> 8.8.8.8*
> Trying "google.com.bd <http://google.com.bd>"
> Using domain server:
> Name: 8.8.8.8
> Address: 8.8.8.8#53
> Aliases:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37848
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;google.com.bd <http://google.com.bd>.                 IN      NS
>
> ;; ANSWER SECTION:
> google.com.bd <http://google.com.bd>.          51126   IN      NS 
> ns601.dnsserverboot.com <http://ns601.dnsserverboot.com>.
> google.com.bd <http://google.com.bd>.          51126   IN      NS 
> ns602.dnsserverboot.com <http://ns602.dnsserverboot.com>.
>
> Received 88 bytes from 8.8.8.8#53 in 4 ms
> imtiaz at ip-172-31-21-211:~$
>
> On Tue, Dec 20, 2016 at 6:17 PM, Sumon Ahmed Sabir 
> <sumon at fiberathome.net <mailto:sumon at fiberathome.net>> wrote:
>
>
>
>     Google is probably waiting for stability.
>
>
>     On Tue, 20 Dec 2016 at 18:11 Md. Anisuzzaman Bhuiyan
>     <anisuzzamanb at yahoo.com <mailto:anisuzzamanb at yahoo.com>> wrote:
>
>         Seems not resolved yet. We are getting response from
>         google.com <http://google.com> instead of google.com.bd
>         <http://google.com.bd>
>
>
>
>         On Tuesday, December 20, 2016 5:31 PM, Kabindra Shrestha
>         <kabindra at geeks.net.np <mailto:kabindra at geeks.net.np>> wrote:
>
>
>
>         > On Dec 20, 2016, at 4:57 PM, Sumon Ahmed Sabir
>         <sumon at fiberathome.net <mailto:sumon at fiberathome.net>> wrote:
>         >
>         >
>         > Got the actual fact. The WebFront end of the .BD was
>         compromised. So hacker changed some DNS record via that.
>         > At this moment it seems fixed.
>
>         That's what I thought.
>
>         Great work Sumon da.
>
>         Thanks.
>         -kabindra
>
>
>         >
>         >
>         > -sumon
>         >
>         > Sumons-MacBook-Air:~ sumon$ host -vt ns google.com.bd
>         <http://google.com.bd> dns.bd <http://dns.bd>
>         >
>         > Trying "google.com.bd <http://google.com.bd>"
>         >
>         > Using domain server:
>         >
>         > Name: dns.bd <http://dns.bd>
>         >
>         > Address: 2407:5000:88:5::3#53
>         >
>         > Aliases:
>         >
>         >
>         >
>         > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48765
>         >
>         > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3,
>         ADDITIONAL: 0
>         >
>         >
>         >
>         > ;; QUESTION SECTION:
>         >
>         > ;google.com.bd <http://google.com.bd>. IN    NS
>         >
>         >
>         >
>         > ;; AUTHORITY SECTION:
>         >
>         > google.com.bd <http://google.com.bd>. 86400    IN    NS
>         ns4.google.com <http://ns4.google.com>.
>         >
>         > google.com.bd <http://google.com.bd>. 86400    IN    NS
>         ns2.google.com <http://ns2.google.com>.
>         >
>         > google.com.bd <http://google.com.bd>. 86400    IN    NS
>         ns3.google.com <http://ns3.google.com>.
>         >
>         >
>         >
>         > Received 95 bytes from 2407:5000:88:5::3#53 in 1003 ms
>         >
>         > Sumons-MacBook-Air:~ sumon$ host -vt ns google.com.bd
>         <http://google.com.bd> surma.btcl.net.bd
>         <http://surma.btcl.net.bd>
>         >
>         > Trying "google.com.bd <http://google.com.bd>"
>         >
>         > Using domain server:
>         >
>         > Name: surma.btcl.net.bd <http://surma.btcl.net.bd>
>         >
>         > Address: 203.112.194.232#53
>         >
>         > Aliases:
>         >
>         >
>         >
>         > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14716
>         >
>         > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3,
>         ADDITIONAL: 0
>         >
>         >
>         >
>         > ;; QUESTION SECTION:
>         >
>         > ;google.com.bd <http://google.com.bd>. IN    NS
>         >
>         >
>         >
>         > ;; AUTHORITY SECTION:
>         >
>         > google.com.bd <http://google.com.bd>. 86400    IN    NS
>         ns4.google.com <http://ns4.google.com>.
>         >
>         > google.com.bd <http://google.com.bd>. 86400    IN    NS
>         ns2.google.com <http://ns2.google.com>.
>         >
>         > google.com.bd <http://google.com.bd>. 86400    IN    NS
>         ns3.google.com <http://ns3.google.com>.
>         >
>         >
>         >
>         > Received 95 bytes from 203.112.194.232#53 in 192 ms
>         >
>         > Sumons-MacBook-Air:~ sumon$ host -vt ns google.com.bd
>         <http://google.com.bd> surma.btcl.net.bd
>         <http://surma.btcl.net.bd>
>         >
>         > Trying "google.com.bd <http://google.com.bd>"
>         >
>         > Using domain server:
>         >
>         > Name: surma.btcl.net.bd <http://surma.btcl.net.bd>
>         >
>         > Address: 203.112.194.232#53
>         >
>         > Aliases:
>         >
>         >
>         >
>         > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50416
>         >
>         > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3,
>         ADDITIONAL: 0
>         >
>         >
>         >
>         > ;; QUESTION SECTION:
>         >
>         > ;google.com.bd <http://google.com.bd>. IN    NS
>         >
>         >
>         >
>         > ;; AUTHORITY SECTION:
>         >
>         > google.com.bd <http://google.com.bd>. 86400    IN    NS
>         ns4.google.com <http://ns4.google.com>.
>         >
>         > google.com.bd <http://google.com.bd>. 86400    IN    NS
>         ns2.google.com <http://ns2.google.com>.
>         >
>         > google.com.bd <http://google.com.bd>. 86400    IN    NS
>         ns3.google.com <http://ns3.google.com>.
>         >
>         >
>         >
>         > Received 95 bytes from 203.112.194.232#53 in 214 ms
>         >
>         >
>         > On Tue, 20 Dec 2016 at 16:13 Kabindra Shrestha
>         <kabindra at geeks.net.np <mailto:kabindra at geeks.net.np>> wrote:
>         > Wow, they manage to change it again.
>         >
>         > Like I mentioned in my previous mail to the list, I strongly
>         believe it is their master server or registry portal that is
>         compromised and they should temporarily disable their domain
>         registry portal to further analyse into it, along with
>         filtering the access.
>         > They seem to have updated the filter but they have also
>         updated DNS filter and I can confirm (since we also slave
>         com.bd <http://com.bd>) we no longer are able to do the zone
>         transfer, so that is the reason that you are not seeing two of
>         the servers with fake NS list.
>         >
>         > $ dig @x.x.x.x axfr com.bd <http://com.bd>
>         >
>         > ; <<>> DiG 9.9.9-P3 <<>> @ x.x.x.x axfr com.bd <http://com.bd>
>         > ; (1 server found)
>         > ;; global options: +cmd
>         > ;; connection timed out; no servers could be reached
>         >
>         > If you see, the nameserver for .COM.BD <http://COM.BD> are
>         now carrying varying serials.
>         >
>         > $ dig +nssearch com.bd <http://com.bd>
>         > SOA dns.bd <http://dns.bd>. root.dns.bd
>         <http://root.dns.bd>. 2016122031 14400 3600 604800 86400 from
>         server 204.61.216.108 in 3 ms.
>         > SOA dns.bd <http://dns.bd>. root.dns.bd
>         <http://root.dns.bd>. 2016122031 14400 3600 604800 86400 from
>         server 209.58.24.3 in 376 ms.
>         > SOA dns.bd <http://dns.bd>. root.dns.bd
>         <http://root.dns.bd>. 2016122036 14400 3600 604800 86400 from
>         server 203.112.194.231 in 386 ms.
>         > SOA dns.bd <http://dns.bd>. root.dns.bd
>         <http://root.dns.bd>. 2016122036 14400 3600 604800 86400 from
>         server 203.112.194.232 in 550 ms
>         >
>         >  for n in `dig ns com.bd <http://com.bd> +short`; do echo
>         $n; dig @$n soa com.bd <http://com.bd> +short; echo ; done
>         > dns.bd <http://dns.bd>.
>         > dns.bd <http://dns.bd>. root.dns.bd <http://root.dns.bd>.
>         2016122031 14400 3600 604800 86400
>         >
>         > bd-ns.anycast.pch.net <http://bd-ns.anycast.pch.net>.
>         > dns.bd <http://dns.bd>. root.dns.bd <http://root.dns.bd>.
>         2016122031 14400 3600 604800 86400
>         >
>         > surma.btcl.net.bd <http://surma.btcl.net.bd>.
>         > dns.bd <http://dns.bd>. root.dns.bd <http://root.dns.bd>.
>         2016122035 14400 3600 604800 86400
>         >
>         > jamuna.btcl.net.bd <http://jamuna.btcl.net.bd>.
>         > dns.bd <http://dns.bd>. root.dns.bd <http://root.dns.bd>.
>         2016122035 14400 3600 604800 86400
>         >
>         >
>         > Only reverting back to the original content will not help
>         solve this problem, they have to analyse and figure out the
>         loophole.
>         >
>         > Thanks.
>         >  -kabindra
>         >
>         >
>         > > On Dec 20, 2016, at 3:01 PM, Brian Candler <brian at nsrc.org
>         <mailto:brian at nsrc.org>> wrote:
>         > >
>         > > On 20/12/2016 05:33, Omar Ali wrote:
>         > >> Please someone help BTCL to fix NS record to actual NS
>         > >
>         > > The replies from the BD nameservers are inconsistent:
>         > >
>         > > $ dig +norec @surma.btcl.net.bd
>         <http://surma.btcl.net.bd>. google.com.bd
>         <http://google.com.bd>. a | grep NS
>         > > ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
>         > > google.com.bd <http://google.com.bd>.       86400    IN   
>         NS ns2.phpvibe.net <http://ns2.phpvibe.net>.
>         > > google.com.bd <http://google.com.bd>.       86400    IN   
>         NS ns1.phpvibe.net <http://ns1.phpvibe.net>.
>         > >
>         > > $ dig +norec @jamuna.btcl.net.bd
>         <http://jamuna.btcl.net.bd>. google.com.bd
>         <http://google.com.bd>. a | grep NS
>         > > ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
>         > > google.com.bd <http://google.com.bd>.       86400    IN   
>         NS ns2.phpvibe.net <http://ns2.phpvibe.net>.
>         > > google.com.bd <http://google.com.bd>.       86400    IN   
>         NS ns1.phpvibe.net <http://ns1.phpvibe.net>.
>         > >
>         > > $ dig +norec @dns.bd <http://dns.bd>. google.com.bd
>         <http://google.com.bd>. a | grep NS
>         > > ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
>         > > google.com.bd <http://google.com.bd>.       86400    IN   
>         NS ns2.google.com <http://ns2.google.com>.
>         > > google.com.bd <http://google.com.bd>.       86400    IN   
>         NS ns3.google.com <http://ns3.google.com>.
>         > > google.com.bd <http://google.com.bd>.       86400    IN   
>         NS ns4.google.com <http://ns4.google.com>.
>         > >
>         > > I should also check whether the addresses of the
>         nameservers themselves have been poisoned. Here (UK) I get:
>         > >
>         > > $ dig +short surma.btcl.net.bd <http://surma.btcl.net.bd>
>         > > 203.112.194.232
>         > > $ dig +short jamuna.btcl.net.bd <http://jamuna.btcl.net.bd>
>         > > 203.112.194.231
>         > > $ dig +short dns.bd <http://dns.bd>
>         > > 209.58.24.3
>         > >
>         > > That looks correct - at least it agrees with the glue
>         records returned by the root nameservers:
>         > >
>         > > ;; ADDITIONAL SECTION:
>         > > dns.bd <http://dns.bd>.   172800    IN    A    209.58.24.3
>         > > surma.btcl.net.bd <http://surma.btcl.net.bd>.   172800   
>         IN    A    203.112.194.232
>         > > jamuna.btcl.net.bd <http://jamuna.btcl.net.bd>.   172800 
>           IN    A    203.112.194.231
>         > >
>         > > So the most likely thing is that two of those three bd.
>         nameservers have been attacked somehow  It doesn't look like
>         cache poisoning; they are giving authoritative answers
>         pointing to ns{1,2}.phpvibe.net <http://phpvibe.net>
>         > >
>         > > Regards,
>         > >
>         > > Brian.
>         > > _______________________________________________
>         > > nog mailing list
>         > > nog at bdnog.org <mailto:nog at bdnog.org>
>         > > http://mailman.bdnog.org/mailman/listinfo/nog
>         <http://mailman.bdnog.org/mailman/listinfo/nog>
>         >
>         > _______________________________________________
>         > nog mailing list
>         > nog at bdnog.org <mailto:nog at bdnog.org>
>         > http://mailman.bdnog.org/mailman/listinfo/nog
>         <http://mailman.bdnog.org/mailman/listinfo/nog>
>
>         _______________________________________________
>         nog mailing list
>         nog at bdnog.org <mailto:nog at bdnog.org>
>         http://mailman.bdnog.org/mailman/listinfo/nog
>         <http://mailman.bdnog.org/mailman/listinfo/nog>
>
>
>
>     _______________________________________________
>     nog mailing list
>     nog at bdnog.org <mailto:nog at bdnog.org>
>     http://mailman.bdnog.org/mailman/listinfo/nog
>     <http://mailman.bdnog.org/mailman/listinfo/nog>
>
>
>
>
> _______________________________________________
> nog mailing list
> nog at bdnog.org
> http://mailman.bdnog.org/mailman/listinfo/nog


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bdnog.org/pipermail/nog/attachments/20161220/5d9f8437/attachment-0001.html>


More information about the nog mailing list