AT&T DNS problems?
We are the primary DNS servers for the ben.edu domain. We seem to be having an issue with an AT&T server that is responding with incorrect A records for www.ben.edu<http://www.ben.edu> and ben.edu. What it SHOULD be the response: nslookup www.ben.edu Server: 63.250.224.66 Address: 63.250.224.66#53 www.ben.edu canonical name = ben.edu. Name: ben.edu Address: 38.100.120.100 What 12.127.17.83 is responding with:
www.ben.edu Server: tbru.br.rs.els-gms.att.net Address: 12.127.17.83
Non-authoritative answer: Name: www.ben.edu Address: 208.91.197.132 This appears to be affecting only iPhones and iPads on the AT&T network. Is anybody else having problems with this? Are there any AT&T people on this list that can help? Tim Huffman Business Only Broadband 777 Oakmont Lane, Suite 2000, Westmont, IL 60559 Direct: 630.590.6012 | Main: 630.590.6000 | Fax: 630.986.2496 thuffman@bobbroadband.com<mailto:thuffman@bobbroadband.com> | http://www.bobbroadband.com/ Cell: 630.340.1925 | Toll-Free Customer Support: 877.262.4553 [https://staticapp.icpsc.com/icp/loadimage.php/mogile/933825/747f0f3e66a4e0ce...] Follow Us on LinkedIn<http://www.linkedin.com/company/business-only-broadband> | [https://files.icontact.com/templates/v2/CleanAndSimple/images/twitter.gif] Follow Us on Twitter<https://twitter.com/#%21/BOBbroadband> P please consider the environment prior to printing
208.91.197.132 doesn't have a PTR record associated with it, but a Whois query shows that it's owned by Confluence Networks. However, check out what happens when you go to that IP address: $ nc -v 208.91.197.132 80 Connection to 208.91.197.132 80 port [tcp/http] succeeded! GET / HTTP/1.1 Host: ben.edu HTTP/1.1 200 OK Date: Sat, 27 Oct 2012 01:14:43 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.3.16 Vary: Accept-Encoding,User-Agent Content-Length: 712 Content-Type: text/html; charset=UTF-8 <frameset rows="100%,*" frameborder="no" border="0" framespacing="0"> <frame src="http://ben.edu/?fp=Jg2bOCRGpmyIHeO3rTIpYJil8%2FmPB1JibWwClQntyhm4NkwKKu Ck1tgtON7LOnmXFywl8MRjELrKlXFXgOfhOw%3D%3D&prvtof=lJY3O5r6C%2F4Iypq21CJp7a1L uqqIdOWvKdwx5Xsl1x8%3D&poru=S87wfqjj4W%2B%2Fm8dSEqpuWZr20KvK367%2BCoGC%2FHW2 e9kL6N%2Fl3h3wnDx5AfKbrhlZ&"> </frameset> <noframes> <body bgcolor="#ffffff" text="#000000"> <a href="http://ben.edu/?fp=Jg2bOCRGpmyIHeO3rTIpYJil8%2FmPB1JibWwClQntyhm4NkwKK uCk1tgtON7LOnmXFywl8MRjELrKlXFXgOfhOw%3D%3D&prvtof=HFakvtiyy0kNqKrmL%2FCjJLe PEMwdGWTZLZa5%2BZpNnP4%3D&poru=9vrhUGVKGCquHB6uFFMUXFNxz1c%2FgIaDOeCSvkLz5HC rH2FI%2Fixpxvr8LwjYT7uO&">Click here to proceed</a>. </body> </noframes> I didn't look beyond that, but it already looks fishy. Note that I used ben.edu in the hostname on that manual GET request. When I tried it with just the IP address, it said to go to searchremagnified.com. Mike Phipps Media Genesis, Inc. From: outages-bounces@outages.org [mailto:outages-bounces@outages.org] On Behalf Of Tim Huffman Sent: Friday, October 26, 2012 9:04 PM To: outages@outages.org Subject: [outages] AT&T DNS problems? We are the primary DNS servers for the ben.edu domain. We seem to be having an issue with an AT&T server that is responding with incorrect A records for www.ben.edu and ben.edu. What it SHOULD be the response: nslookup www.ben.edu Server: 63.250.224.66 Address: 63.250.224.66#53 www.ben.edu canonical name = ben.edu. Name: ben.edu Address: 38.100.120.100 What 12.127.17.83 is responding with:
www.ben.edu
Server: tbru.br.rs.els-gms.att.net Address: 12.127.17.83 Non-authoritative answer: Name: www.ben.edu Address: 208.91.197.132 This appears to be affecting only iPhones and iPads on the AT&T network. Is anybody else having problems with this? Are there any AT&T people on this list that can help? Tim Huffman Business Only Broadband 777 Oakmont Lane, Suite 2000, Westmont, IL 60559 Direct: 630.590.6012 | Main: 630.590.6000 | Fax: 630.986.2496 thuffman@bobbroadband.com | <http://www.bobbroadband.com/> http://www.bobbroadband.com/ Cell: 630.340.1925 | Toll-Free Customer Support: 877.262.4553 https://staticapp.icpsc.com/icp/loadimage.php/mogile/933825/747f0f3e66a4e0ce 7633ff898bfc5121/image/png <http://www.linkedin.com/company/business-only-broadband> Follow Us on LinkedIn | https://files.icontact.com/templates/v2/CleanAndSimple/images/twitter.gif <https://twitter.com/#%21/BOBbroadband> Follow Us on Twitter P please consider the environment prior to printing
Yeah, it appears to be some kind of placeholder site, like what Network Solutions uses. What's strange is that the AT&T server appears to be handing out alternating responses: # dig @12.127.17.83 www.ben.edu ; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35102 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ben.edu. IN A ;; ANSWER SECTION: www.ben.edu. 148 IN A 208.91.197.132 ;; Query time: 2 msec ;; SERVER: 12.127.17.83#53(12.127.17.83) ;; WHEN: Fri Oct 26 20:22:18 2012 ;; MSG SIZE rcvd: 45 [root@venus ~]# dig @12.127.17.83 www.ben.edu ; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38198 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ben.edu. IN A ;; ANSWER SECTION: www.ben.edu. 3427 IN CNAME ben.edu. ben.edu. 3427 IN A 38.100.120.100 ;; Query time: 2 msec ;; SERVER: 12.127.17.83#53(12.127.17.83) ;; WHEN: Fri Oct 26 20:22:23 2012 ;; MSG SIZE rcvd: 59 [root@venus ~]# dig @12.127.17.83 www.ben.edu ; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21252 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ben.edu. IN A ;; ANSWER SECTION: www.ben.edu. 142 IN A 208.91.197.132 ;; Query time: 1 msec ;; SERVER: 12.127.17.83#53(12.127.17.83) ;; WHEN: Fri Oct 26 20:22:24 2012 ;; MSG SIZE rcvd: 45 [root@venus ~]# dig @12.127.17.83 www.ben.edu ; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59907 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ben.edu. IN A ;; ANSWER SECTION: www.ben.edu. 3425 IN CNAME ben.edu. ben.edu. 3425 IN A 38.100.120.100 ;; Query time: 2 msec ;; SERVER: 12.127.17.83#53(12.127.17.83) ;; WHEN: Fri Oct 26 20:22:25 2012 ;; MSG SIZE rcvd: 59 Tim Huffman Director of Engineering Business Only Broadband 777 Oakmont Lane, Suite 2000, Westmont, IL 60559 Direct: 630.590.6012 | Main: 630.590.6000 | Fax: 630.986.2496 thuffman@bobbroadband.com<mailto:thuffman@bobbroadband.com> | http://www.bobbroadband.com/ Cell: 630.340.1925 | Toll-Free Customer Support: 877.262.4553 [https://staticapp.icpsc.com/icp/loadimage.php/mogile/933825/747f0f3e66a4e0ce...] Follow Us on LinkedIn<http://www.linkedin.com/company/business-only-broadband> | [https://files.icontact.com/templates/v2/CleanAndSimple/images/twitter.gif] Follow Us on Twitter<https://twitter.com/#%21/BOBbroadband> P please consider the environment prior to printing From: outages-bounces@outages.org [mailto:outages-bounces@outages.org] On Behalf Of Mike Phipps Sent: Friday, October 26, 2012 8:17 PM To: outages@outages.org Subject: Re: [outages] AT&T DNS problems? 208.91.197.132 doesn't have a PTR record associated with it, but a Whois query shows that it's owned by Confluence Networks. However, check out what happens when you go to that IP address: $ nc -v 208.91.197.132 80 Connection to 208.91.197.132 80 port [tcp/http] succeeded! GET / HTTP/1.1 Host: ben.edu HTTP/1.1 200 OK Date: Sat, 27 Oct 2012 01:14:43 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.3.16 Vary: Accept-Encoding,User-Agent Content-Length: 712 Content-Type: text/html; charset=UTF-8 <frameset rows="100%,*" frameborder="no" border="0" framespacing="0"> <frame src="http://ben.edu/?fp=Jg2bOCRGpmyIHeO3rTIpYJil8%2FmPB1JibWwClQntyhm4NkwKKuCk1tgtON7LOnmXFywl8MRjELrKlXFXgOfhOw%3D%3D&prvtof=lJY3O5r6C%2F4Iypq21CJp7a1LuqqIdOWvKdwx5Xsl1x8%3D&poru=S87wfqjj4W%2B%2Fm8dSEqpuWZr20KvK367%2BCoGC%2FHW2e9kL6N%2Fl3h3wnDx5AfKbrhlZ&"> </frameset> <noframes> <body bgcolor="#ffffff" text="#000000"> <a href="http://ben.edu/?fp=Jg2bOCRGpmyIHeO3rTIpYJil8%2FmPB1JibWwClQntyhm4NkwKKuCk1tgtON7LOnmXFywl8MRjELrKlXFXgOfhOw%3D%3D&prvtof=HFakvtiyy0kNqKrmL%2FCjJLePEMwdGWTZLZa5%2BZpNnP4%3D&poru=9vrhUGVKGCquHB6uFFMUXFNxz1c%2FgIaDOeCSvkLz5HCrH2FI%2Fixpxvr8LwjYT7uO&">Click here to proceed</a>. </body> </noframes> I didn't look beyond that, but it already looks fishy. Note that I used ben.edu in the hostname on that manual GET request. When I tried it with just the IP address, it said to go to searchremagnified.com. Mike Phipps Media Genesis, Inc. From: outages-bounces@outages.org<mailto:outages-bounces@outages.org> [mailto:outages-bounces@outages.org] On Behalf Of Tim Huffman Sent: Friday, October 26, 2012 9:04 PM To: outages@outages.org<mailto:outages@outages.org> Subject: [outages] AT&T DNS problems? We are the primary DNS servers for the ben.edu domain. We seem to be having an issue with an AT&T server that is responding with incorrect A records for www.ben.edu<http://www.ben.edu> and ben.edu. What it SHOULD be the response: nslookup www.ben.edu<http://www.ben.edu> Server: 63.250.224.66 Address: 63.250.224.66#53 www.ben.edu<http://www.ben.edu> canonical name = ben.edu. Name: ben.edu Address: 38.100.120.100 What 12.127.17.83 is responding with:
www.ben.edu<http://www.ben.edu> Server: tbru.br.rs.els-gms.att.net Address: 12.127.17.83
Non-authoritative answer: Name: www.ben.edu<http://www.ben.edu> Address: 208.91.197.132 This appears to be affecting only iPhones and iPads on the AT&T network. Is anybody else having problems with this? Are there any AT&T people on this list that can help? Tim Huffman Business Only Broadband 777 Oakmont Lane, Suite 2000, Westmont, IL 60559 Direct: 630.590.6012 | Main: 630.590.6000 | Fax: 630.986.2496 thuffman@bobbroadband.com<mailto:thuffman@bobbroadband.com> | http://www.bobbroadband.com/ Cell: 630.340.1925 | Toll-Free Customer Support: 877.262.4553 [https://staticapp.icpsc.com/icp/loadimage.php/mogile/933825/747f0f3e66a4e0ce...] Follow Us on LinkedIn<http://www.linkedin.com/company/business-only-broadband> | [https://files.icontact.com/templates/v2/CleanAndSimple/images/twitter.gif] Follow Us on Twitter<https://twitter.com/#%21/BOBbroadband> P please consider the environment prior to printing
Hi, So I tried in 3 different places: Comcast residential service near San Jose, CA: 38.100.120.100 Multi-homed colo facility near Dallas, TX: 38.100.120.100 Multi-homed colo facility near London, UK: 208.91.197.32 Doing a bit of digging on the latter: % dig +short @12.127.17.83 www.ben.edu ns ns1432.ztomy.com. ns2432.ztomy.com. % whois -h whois.crsnic.net ztomy.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: ZTOMY.COM Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM Whois Server: whois.PublicDomainRegistry.com Referral URL: http://www.PublicDomainRegistry.com Name Server: USC4.AKAM.NET Name Server: USC5.AKAM.NET Status: ok Updated Date: 23-apr-2012 Creation Date: 22-nov-2007 Expiration Date: 22-nov-2014 [...] % whois -h whois.publicdomainregistry.com ztomy.com Domain Name: ZTOMY.COM Registrant: PrivacyProtect.org Domain Admin (contact@privacyprotect.org) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 AU Tel. +45.36946676 Creation Date: 22-Nov-2007 Expiration Date: 22-Nov-2014 [...] Doing a google search on ztomy.com suggests that they provide malware/spyware/etc. Looking at the address being returned (208.91.197.132): % whois -h whois.arin.net 208.91.197.132 [...] NetRange: 208.91.196.0 - 208.91.199.255 CIDR: 208.91.196.0/22 OriginAS: AS40034 NetName: CONFLUENCE-NETWORK-INC NetHandle: NET-208-91-196-0-1 Parent: NET-208-0-0-0-0 NetType: Direct Allocation RegDate: 2011-04-15 Updated: 2012-03-02 Ref: http://whois.arin.net/rest/net/NET-208-91-196-0-1 OrgName: Confluence Networks Inc OrgId: CN Address: 3rd Floor, Omar Hodge Building, Wickhams Address: Cay I, P.O. Box 362 City: Road Town StateProv: Tortola PostalCode: VG1110 Country: VG RegDate: 2011-04-07 Updated: 2011-07-05 Ref: http://whois.arin.net/rest/org/CN [...] Doing a google search on confluence networks suggests that they host a lot of bad stuff (e.g., 'high yield investment programs' which appear to be yet another form of Ponzi scheme). I did see some suggestions of ztomy.com engaging in DNS cache poisoning, but no proof. Given the inconsistent answers from the AT&T name server, one possibility is that AT&T's resolvers are under a Kaminsky-style DNS cache poisoning attack. You might want to drop a note to the DNS-OARC (https://www.dns-oarc.net) dns-operations list -- I think there are probably some folks there from AT&T. Regards, -drc On Oct 26, 2012, at 6:26 PM, Tim Huffman <tim@bobbroadband.com> wrote:
Yeah, it appears to be some kind of placeholder site, like what Network Solutions uses.
What’s strange is that the AT&T server appears to be handing out alternating responses:
# dig @12.127.17.83 www.ben.edu
; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35102 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;www.ben.edu. IN A
;; ANSWER SECTION: www.ben.edu. 148 IN A 208.91.197.132
;; Query time: 2 msec ;; SERVER: 12.127.17.83#53(12.127.17.83) ;; WHEN: Fri Oct 26 20:22:18 2012 ;; MSG SIZE rcvd: 45
[root@venus ~]# dig @12.127.17.83 www.ben.edu
; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38198 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;www.ben.edu. IN A
;; ANSWER SECTION: www.ben.edu. 3427 IN CNAME ben.edu. ben.edu. 3427 IN A 38.100.120.100
;; Query time: 2 msec ;; SERVER: 12.127.17.83#53(12.127.17.83) ;; WHEN: Fri Oct 26 20:22:23 2012 ;; MSG SIZE rcvd: 59
[root@venus ~]# dig @12.127.17.83 www.ben.edu
; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21252 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;www.ben.edu. IN A
;; ANSWER SECTION: www.ben.edu. 142 IN A 208.91.197.132
;; Query time: 1 msec ;; SERVER: 12.127.17.83#53(12.127.17.83) ;; WHEN: Fri Oct 26 20:22:24 2012 ;; MSG SIZE rcvd: 45
[root@venus ~]# dig @12.127.17.83 www.ben.edu
; <<>> DiG 9.5.1-P2 <<>> @12.127.17.83 www.ben.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59907 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;www.ben.edu. IN A
;; ANSWER SECTION: www.ben.edu. 3425 IN CNAME ben.edu. ben.edu. 3425 IN A 38.100.120.100
;; Query time: 2 msec ;; SERVER: 12.127.17.83#53(12.127.17.83) ;; WHEN: Fri Oct 26 20:22:25 2012 ;; MSG SIZE rcvd: 59
Tim Huffman Director of Engineering Business Only Broadband 777 Oakmont Lane, Suite 2000, Westmont, IL 60559 Direct: 630.590.6012 | Main: 630.590.6000 | Fax: 630.986.2496 thuffman@bobbroadband.com | http://www.bobbroadband.com/ Cell: 630.340.1925 | Toll-Free Customer Support: 877.262.4553 <image001.png> Follow Us on LinkedIn | <image002.gif> Follow Us on Twitter P please consider the environment prior to printing
From: outages-bounces@outages.org [mailto:outages-bounces@outages.org] On Behalf Of Mike Phipps Sent: Friday, October 26, 2012 8:17 PM To: outages@outages.org Subject: Re: [outages] AT&T DNS problems?
208.91.197.132 doesn’t have a PTR record associated with it, but a Whois query shows that it’s owned by Confluence Networks. However, check out what happens when you go to that IP address:
$ nc -v 208.91.197.132 80 Connection to 208.91.197.132 80 port [tcp/http] succeeded! GET / HTTP/1.1 Host: ben.edu
HTTP/1.1 200 OK Date: Sat, 27 Oct 2012 01:14:43 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.3.16 Vary: Accept-Encoding,User-Agent Content-Length: 712 Content-Type: text/html; charset=UTF-8
<frameset rows="100%,*" frameborder="no" border="0" framespacing="0"> <frame src="http://ben.edu/?fp=Jg2bOCRGpmyIHeO3rTIpYJil8%2FmPB1JibWwClQntyhm4NkwKKuCk1tgtON7LOnmXFywl8MRjELrKlXFXgOfhOw%3D%3D&prvtof=lJY3O5r6C%2F4Iypq21CJp7a1LuqqIdOWvKdwx5Xsl1x8%3D&poru=S87wfqjj4W%2B%2Fm8dSEqpuWZr20KvK367%2BCoGC%2FHW2e9kL6N%2Fl3h3wnDx5AfKbrhlZ&"> </frameset> <noframes> <body bgcolor="#ffffff" text="#000000"> <a href="http://ben.edu/?fp=Jg2bOCRGpmyIHeO3rTIpYJil8%2FmPB1JibWwClQntyhm4NkwKKuCk1tgtON7LOnmXFywl8MRjELrKlXFXgOfhOw%3D%3D&prvtof=HFakvtiyy0kNqKrmL%2FCjJLePEMwdGWTZLZa5%2BZpNnP4%3D&poru=9vrhUGVKGCquHB6uFFMUXFNxz1c%2FgIaDOeCSvkLz5HCrH2FI%2Fixpxvr8LwjYT7uO&">Click here to proceed</a>. </body> </noframes>
I didn’t look beyond that, but it already looks fishy. Note that I used ben.edu in the hostname on that manual GET request. When I tried it with just the IP address, it said to go to searchremagnified.com.
Mike Phipps Media Genesis, Inc.
From: outages-bounces@outages.org [mailto:outages-bounces@outages.org] On Behalf Of Tim Huffman Sent: Friday, October 26, 2012 9:04 PM To: outages@outages.org Subject: [outages] AT&T DNS problems?
We are the primary DNS servers for the ben.edu domain. We seem to be having an issue with an AT&T server that is responding with incorrect A records for www.ben.eduand ben.edu.
What it SHOULD be the response: nslookup www.ben.edu Server: 63.250.224.66 Address: 63.250.224.66#53
www.ben.edu canonical name = ben.edu. Name: ben.edu Address: 38.100.120.100
What 12.127.17.83 is responding with:
www.ben.edu Server: tbru.br.rs.els-gms.att.net Address: 12.127.17.83
Non-authoritative answer: Name: www.ben.edu Address: 208.91.197.132
This appears to be affecting only iPhones and iPads on the AT&T network. Is anybody else having problems with this? Are there any AT&T people on this list that can help?
Tim Huffman Business Only Broadband 777 Oakmont Lane, Suite 2000, Westmont, IL 60559 Direct: 630.590.6012 | Main: 630.590.6000 | Fax: 630.986.2496 thuffman@bobbroadband.com | http://www.bobbroadband.com/ Cell: 630.340.1925 | Toll-Free Customer Support: 877.262.4553 <image001.png> Follow Us on LinkedIn | <image002.gif> Follow Us on Twitter P please consider the environment prior to printing
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
participants (3)
-
David Conrad -
Mike Phipps -
Tim Huffman