From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: Date: Wed, 29 Aug 2012 05:29:42 +0200 From: cinap_lenrek@gmx.de To: 9fans@9fans.net MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: [9fans] dns poisoning Topicbox-Message-UUID: b31f3d9c-ead7-11e9-9d60-3106f5b1d025 aback.com has ns.buydomains.com as nameserver, which seem to announce itself to be responsible for the whole .com tld and answers positively to everything with bullshit spam ip addresses causing all further .com domain queries to get resolved by that spam ns.buydomains.com dns. :( is this allowed by the standard? is there anything we can do to prevent it from poisoning our cache? rei2 Aug 29 04:25:26 [73792] 61255.1: sending to 192.54.112.30/h.gtld-servers.net aback.com ip rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 flags: rd rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 qd aback.com rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 ns aback.com ns ns.buydomains.com rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 ns aback.com ns this-domain-for-sale.com rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 ar ns.buydomains.com ip 64.95.64.93 rei2 Aug 29 04:25:26 61255: rcvd 192.54.112.30 ar this-domain-for-sale.com ip 64.95.64.96 rei2 Aug 29 04:25:26 [73792] 61255.2: sending to 64.95.64.93/ns.buydomains.com aback.com ip rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 flags: auth rd rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 qd aback.com rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 an aback.com ip 64.95.64.218 rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 ns com ns ns.buydomains.com rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 ns com ns this-domain-for-sale.com rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 ar ns.buydomains.com ip 64.95.64.93 rei2 Aug 29 04:25:26 61255: rcvd 64.95.64.93 ar this-domain-for-sale.com ip 64.95.64.96 -- cinap