Am I being attacked? Domain name and DNS server problem
Hello! This is most likely the wrong list, but I can't find a linux security list and this is a little bit urgent! Maybe someone off this list can give me some pointers. My client has a domain. When I ping the domain, it resolves to the IP address of the dedicated server he is hosting on. But then, when I try to resolve the ip address back to a domain, using either host xx.xx.xx.xx on mac os x, or /usr/bin/resolveip xx.xx.xx.xx on linux, the ip address is resolved to a domain name that is a little bit suspicious: ns2.decayandcorrupt.com Is this an attack? Resolving an ip address to a hostname shouldn't return a nameserver, should it? Since the domain name utimately resolves to the correct IP address, requests to the website are successfull, and return the files we have hosted on the server. But the other way around, i.e. that the ip resolves to such an weird domain name, is a little bit suspicious to me. ANY pointers would be helpful. We're a little bit desperate as support of our hosting companies wasn't very helpful, so I thought I'd ask here, since, IMO, this smells a little bit. Thanks, Robert
Re: Am I being attacked? Domain name and DNS server problem
Robert MannI wrote: Hello! This is most likely the wrong list, but I can't find a linux security list and this is a little bit urgent! Maybe someone off this list can give me some pointers. My client has a domain. When I ping the domain, it resolves to the IP address of the dedicated server he is hosting on. But then, when I try to resolve the ip address back to a domain, using either host xx.xx.xx.xx on mac os x, or /usr/bin/resolveip xx.xx.xx.xx on linux, the ip address is resolved to a domain name that is a little bit suspicious: ns2.decayandcorrupt.com Is this an attack? Resolving an ip address to a hostname shouldn't return a nameserver, should it? Sounds more like just a screw-up. Forward and reverse zones are not related, and are stored in different files on the DNS servers. Zone delegations have to be done correctly to allow whoever controls the IP to do DNS for it. If it's an attack, there doesn't seem to be much sense in it. Annoying, yes... but I can't think of a whole lot of attack vectors that would be able to make use of a bad reverse-DNS entry like that. Nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Am I being attacked? Domain name and DNS server problem
On Sat, 18 Mar 2006, Robert MannI wrote: But then, when I try to resolve the ip address back to a domain, using either host xx.xx.xx.xx on mac os x, or /usr/bin/resolveip xx.xx.xx.xx on linux, the ip address is resolved to a domain name that is a little bit suspicious: ns2.decayandcorrupt.com Is this an attack? Not necessarily. It could be your client uses decayandcorrupt.com for their hosting, which itself is hosted within ev1servers.com. I recommend using dig to find out where everything is, if you want the real story. 'dig a $hostname' will turn up the IP address, 'dig ns $hostname' will turn up the name server. If you want the whole zone file for inspection and to doublecheck, do 'dig @ns2.decayandcorrupt.com axfr $hostname' to get the whole zone file (and if it denies you, use ns1 instead), and doublecheck the whois record for the domain name. -Dennis -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Am I being attacked? Domain name and DNS server problem
Incoming from Robert MannI: But then, when I try to resolve the ip address back to a domain, using either host xx.xx.xx.xx on mac os x, or /usr/bin/resolveip xx.xx.xx.xx on linux, the ip address is resolved to a domain name that is a little bit suspicious: ns2.decayandcorrupt.com Cache poisoning? Try dig ns on his fqdn. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Am I being attacked? Domain name and DNS server problem
On Mar 18, 2006, at 4:55 PM, Robert MannI wrote: This is most likely the wrong list, but I can't find a linux security list and this is a little bit urgent! Maybe someone off this list can give me some pointers. Probably. My client has a domain. When I ping the domain, it resolves to the IP address of the dedicated server he is hosting on. But then, when I try to resolve the ip address back to a domain, using either host xx.xx.xx.xx on mac os x, or /usr/bin/resolveip xx.xx.xx.xx on linux, the ip address is resolved to a domain name that is a little bit suspicious. [...snip...] ANY pointers would be helpful. We're a little bit desperate as support of our hosting companies wasn't very helpful, so I thought I'd ask here, since, IMO, this smells a little bit. Check out www.dnsstuff.com for a web i/f to some dns diagnostics. dig is also quite useful on both MacOS and linux. My only other comment would be: How _sure_ are you that it's a dedicated server? Have you visited it? What you're describing sure looks like a virtual host config. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]