dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
933
share rss forum feed

ignut

join:2013-06-20

1 edit

[TWC] RR DNS response for a usps.com query

Is anyone else receiving an incorrect response from RR DNS servers for a query of usps.com?

nslookup usps.com 209.18.47.61
Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Non-authoritative answer:
Name: usps.com
Address: 204.11.56.21

nslookup usps.com 209.18.47.62
Server: dns-cac-lb-02.rr.com
Address: 209.18.47.62

Non-authoritative answer:
Name: usps.com
Address: 204.11.56.21

The (correct) opendns response:
nslookup usps.com 208.67.220.220
Server: resolver2.opendns.com
Address: 208.67.220.220

Non-authoritative answer:
Name: usps.com
Address: 56.0.134.100

Roadrunner support refused to assist me in reporting this issue.

Occasionally I can get an accurate response:
nslookup usps.com 209.18.47.62
Server: dns-cac-lb-02.rr.com
Address: 209.18.47.62

Non-authoritative answer:
Name: usps.com
Address: 56.0.134.100

But only rarely.

Matt7

join:2001-01-02
Columbus, OH


Website does not work here in columbus ohio either... (using RR's DNS)

virtualspin

join:2004-12-13
Utica, NY

1 edit
reply to ignut
DNS

ignut

join:2013-06-20
reply to Matt7
Thank you for the reply Xsk8er, but can you see if roadrunner dns servers ( 209.18.47.61 and 209.18.47.62 ) are returning the right IP address when queried?

At a command prompt "nslookup usps.com 209.18.47.61" would show such information.

Thank you virtualspin, but my concern is not related to that attack.

Matt7

join:2001-01-02
Columbus, OH
Reviews:
·AT&T U-Verse
·Insight Communic..
said by ignut:

Thank you for the reply Xsk8er, but can you see if roadrunner dns servers ( 209.18.47.61 and 209.18.47.62 ) are returning the right IP address when queried?

Default Server: dns-cac-lb-02.rr.com
Address: 209.18.47.62

> usps.com
Server: dns-cac-lb-02.rr.com
Address: 209.18.47.62

Non-authoritative answer:
Name: usps.com
Address: 56.0.134.100

>

nslookup usps.com 209.18.47.61
Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Non-authoritative answer:
Name: usps.com
Address: 56.0.134.100

ignut

join:2013-06-20
Thank you. My problem persists for some reason. Sometimes I get the proper response (56.0.134.100) but the majority of the time a malicious IP is sent as a response. Same result from numerous computers, windows and linux.

virtualspin

join:2004-12-13
Utica, NY

1 edit
reply to virtualspin


mackey
Premium
join:2007-08-20
kudos:12
reply to ignut
Bad here in SoCal

dig @209.18.47.61 usps.com
 
; <<>> DiG 9.8.0-P1-RedHat-9.8.0-3.P1.fc15 <<>> @209.18.47.61 usps.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13423
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;usps.com.                      IN      A
 
;; ANSWER SECTION:
usps.com.               300     IN      A       204.11.56.21
 
;; Query time: 63 msec
;; SERVER: 209.18.47.61#53(209.18.47.61)
;; WHEN: Thu Jun 20 00:44:39 2013
;; MSG SIZE  rcvd: 42
 

dig @209.18.47.61 usps.com ns
 
; <<>> DiG 9.8.0-P1-RedHat-9.8.0-3.P1.fc15 <<>> @209.18.47.61 usps.com ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43614
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;usps.com.                      IN      NS
 
;; ANSWER SECTION:
usps.com.               300     IN      NS      ns1621.ztomy.com.
usps.com.               300     IN      NS      ns2621.ztomy.com.
 
;; Query time: 62 msec
;; SERVER: 209.18.47.61#53(209.18.47.61)
;; WHEN: Thu Jun 20 00:47:59 2013
;; MSG SIZE  rcvd: 74
 

dig @209.18.47.61 usps.com any
 
; <<>> DiG 9.8.0-P1-RedHat-9.8.0-3.P1.fc15 <<>> @209.18.47.61 usps.com any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61233
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;usps.com.                      IN      ANY
 
;; ANSWER SECTION:
usps.com.               300     IN      SOA     ns1621.ztomy.com. abuse.opticaljungle.com. 2011062801 3600 900 604800 86400
usps.com.               300     IN      TXT     "v=spf1 a -all"
usps.com.               300     IN      PTR     ns1621.ztomy.com.
usps.com.               300     IN      A       204.11.56.21
usps.com.               300     IN      NS      ns1621.ztomy.com.
usps.com.               300     IN      NS      ns2621.ztomy.com.
 
;; Query time: 67 msec
;; SERVER: 209.18.47.61#53(209.18.47.61)
;; WHEN: Thu Jun 20 00:49:21 2013
;; MSG SIZE  rcvd: 186
 

/M

virtualspin

join:2004-12-13
Utica, NY

1 edit


mackey
Premium
join:2007-08-20
kudos:12
reply to ignut
Seems there's some DNS poisoning going on.

usps.com, fidelity.com, Linkedin.com, yelp.com, and others are effected: »www.mentby.com/Group/nanog/need-···dns.html

/M

ignut

join:2013-06-20
reply to virtualspin
Thank you virtualspin, yes opendns and the DNS servers I run myself also respond correctly, and I can bypass the problem via my hosts file as well. I am more concerned with why this is happening. If the RR DNS servers have been compromised they could be redirecting many other domains in addition to usps.com.

Thanks mackey, that is the result I see.

RR Live chat disconnected after 10 minutes of waiting for an analyst and refused to reconnect. I spent 1 hour on the phone with RR support but they refused to escalate my inquiry, opting to tell me to contact Microsoft and seek their advice as to which anti-virus/anti-malware application I should use to clean my computers of a non-existent infection. This has been a nightmare, I can easily bypass the issue personally but if the issue is on roadrunners end it could impact a lot of subscribers.


mackey
Premium
join:2007-08-20
kudos:12
reply to virtualspin
said by virtualspin:

y.ns.gin.ntt.net 129.250.35.251

Nope:
dig @y.ns.gin.ntt.net usps.com 
 
; <<>> DiG 9.8.0-P1-RedHat-9.8.0-3.P1.fc15 <<>> @y.ns.gin.ntt.net usps.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46511
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;usps.com.                      IN      A
 
;; ANSWER SECTION:
usps.com.               292     IN      A       204.11.56.21
 
;; Query time: 20 msec
;; SERVER: 129.250.35.251#53(129.250.35.251)
;; WHEN: Thu Jun 20 01:10:09 2013
;; MSG SIZE  rcvd: 42
 

/M

virtualspin

join:2004-12-13
Utica, NY

1 edit

virtualspin

join:2004-12-13
Utica, NY

1 edit
reply to mackey


mackey
Premium
join:2007-08-20
kudos:12
reply to virtualspin
said by virtualspin:

Server: x.ns.gin.ntt.net

said by mackey:

dig @y.ns.gin.ntt.net usps.com

/M


mackey
Premium
join:2007-08-20
kudos:12
Heh, even Google's DNS is failing now:
dig @8.8.8.8 usps.com
 
;; QUESTION SECTION:
;usps.com.                      IN      A
 
;; ANSWER SECTION:
usps.com.               297     IN      A       204.11.56.21
 
;; Query time: 43 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jun 20 01:26:51 2013
;; MSG SIZE  rcvd: 42
 

/M

virtualspin

join:2004-12-13
Utica, NY

1 edit
reply to mackey


kontos
xyzzy

join:2001-10-04
West Henrietta, NY
reply to ignut
Likely related to problems with their Registrar:
»www.networksolutions.com/blog/20···-issues/

(not that will tell you much)

virtualspin

join:2004-12-13
Utica, NY

2 edits
reply to ignut

virtualspin

join:2004-12-13
Utica, NY

1 edit

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to ignut
Not that this thread needs any more input, but it was not poisoning or hijacking. It appears to have been netsol being the complete tools that everyone knows they are... a "misconfiguration" is all they're saying about it. However, the entire networking community is calling bulls***, as there's an interesting set of (~50k) "random" domains with their nameservers reset to a sequence of ztomy servers.

(Note, we dropped netsol a decade ago due to their *continuous* stupidity: dns records changing at random with "no record" of what changed it, emails taking 16 HOURS to get through their crap system, billing errors, account management errors...)