DNS Misbehaving

Published: 2006-12-26
Last Updated: 2006-12-27 04:33:14 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
[see the update below - the problem is with Rogers Cable]

A reader reported some difficulties resolving www.zonelabs.com from Canada.  We checked our circuits and two different sites (one in Belgium, one in the USA) showed this:

From Belgium:
$ dig www.zonelabs.com a

; <<>> DiG 9.2.2 <<>> www.zonelabs.com a
;; global options:  printcmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49741
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0


;; QUESTION SECTION:
;www.zonelabs.com.              IN      A

;; ANSWER SECTION:
www.zonelabs.com.       86400   IN      A       209.87.209.44

;; AUTHORITY SECTION:
zonelabs.com.           86400   IN      NS      dns1.zonelabs.com.
zonelabs.com.           86400   IN      NS      dns2.zonelabs.com.


From the USA:
~> dig www.zonelabs.com

; <<>> DiG 9.2.3 <<>> www.zonelabs.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61680
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;www.zonelabs.com.              IN      A

;; ANSWER SECTION:
www.zonelabs.com.       86245   IN      A       209.87.209.44

;; AUTHORITY SECTION:
zonelabs.com.           86245   IN      NS      ns8.checkpoint.com.
zonelabs.com.           86245   IN      NS      dns1.zonelabs.com.
zonelabs.com.           86245   IN      NS      dns2.zonelabs.com.
zonelabs.com.           86245   IN      NS      ns6.checkpoint.com.

We asked our Canadian friend to run a dig query and here was his output:

 dig www.zonelabs.com a

; <<>> DiG 9.3.1 <<>> www.zonelabs.com a
;; global options:  printcmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46367
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0


;; QUESTION SECTION:
;www.zonelabs.com.              IN      A

;; ANSWER SECTION:
www.zonelabs.com.       3600    IN      A       127.0.0.1

;; AUTHORITY SECTION:
zonelabs.com.           86400   IN      NS      127.0.0.1.


I removed the DNS server IP addresses for privacy purposes, but you can clearly see what the problem is.  His ISP's DNS server returns an address of 127.0.0.1 as an answer.  This could be a local cache problem with his ISP or an indicator of a much larger attack. 

We need your help - run a dig query against your local DNS servers for www.zonelabs.com and let us know if you see 127.0.0.1 as the reply.  No need to let us know if the queries come out OK, just if you see 127.0.0.1.  Please use our contact page for submissions.

Thanks!

Marcus H. Sachs
Director, SANS Internet Storm Center

UPDATE
Numerous readers have written in to let us know that the problem appears to be solely with Rogers Cable DNS servers. There is no indication at this point that there is anything malicious afoot, although anytime a security software update site resolves incorrectly we need to dig into it.

There have been discussions in other forums about Rogers DNS problems, although we cannot determine if those are related to the zonelabs.com problem.

For the time being, Rogers customers may wish to change your DNS server settings to use one of the free public servers listed at http://www.opennic.unrated.net/public_servers.html or http://www.opendns.com/.

Thanks to everyone who responded!
g
Keywords:
0 comment(s)

Comments


Diary Archives