Re: 208.91.197.27



  • Greetings,

    I have an issue where if I trying to ping a random host (does not even have to exist), it will resolve it to 208.91.197.27.  For, example, I can ping

    [2.2.4-RELEASE][admin@mypfsense.mydomain.net]/root: ping unknown
    PING unknown.mydomain.net (208.91.197.27): 56 data bytes
    64 bytes from 208.91.197.27: icmp_seq=0 ttl=244 time=49.751 ms
    64 bytes from 208.91.197.27: icmp_seq=1 ttl=244 time=53.257 ms
    64 bytes from 208.91.197.27: icmp_seq=2 ttl=244 time=49.659 ms
    64 bytes from 208.91.197.27: icmp_seq=3 ttl=244 time=50.450 ms
    64 bytes from 208.91.197.27: icmp_seq=4 ttl=244 time=50.511 ms
    64 bytes from 208.91.197.27: icmp_seq=5 ttl=244 time=54.054 ms
    64 bytes from 208.91.197.27: icmp_seq=6 ttl=244 time=51.059 ms
    64 bytes from 208.91.197.27: icmp_seq=7 ttl=244 time=51.623 ms

    my DNS is setup to point to 8.8.8.8 primary, and 4.2.2.2 for secondary.  Any idea why random names are getting resolved to that IP?

    Thanks for the help!

    vhtan00


  • Banned

    Why? Because the guys running the 4.2.2.2 DNS server apparently love hijacking nonexistent domains. Do not use that evil DNS server.

    http://drewgraybeal.blogspot.cz/2015/05/level-3-dns-hijacking-4222-and-others.html


  • Rebel Alliance Global Moderator

    mydomain.net would be a HORRIFIC example of doamin that doesn't exist because it actually does

    Domain Name: MYDOMAIN.NET
    Registry Domain ID: 2563492_DOMAIN_NET-VRSN
    Registrar WHOIS Server: whois.domain.com
    Registrar URL: www.domain.com
    Updated Date: 2015-03-18T03:47:21Z
    Creation Date: 1996-04-15T04:00:00Z
    Registrar Registration Expiration Date: 2016-04-16T04:00:00Z
    Registrar: Domain.com, LLC
    Registrar IANA ID: 886
    Registrar Abuse Contact Email: compliance@domain-inc.net
    Registrar Abuse Contact Phone: +1.6027165396
    Reseller: Domain Name Holding Company, Inc
    Reseller: corpdomains@endurance.com

    why don't you ping something like testhost.lasjlfdsjfdzlsjfdljfdszljwslfe.com what comes up then?

    Most domains that are being held or parked have wild card records so yeah lasjfdlsjfljfsdljfd.mydomain.net would resolve..

    ;; QUESTION SECTION:
    ;; lsjfldsjsdf.mydomain.net.    IN      A

    ;; ANSWER SECTION:
    lsjfldsjsdf.mydomain.net.      1800    IN      A      66.150.161.140
    lsjfldsjsdf.mydomain.net.      1800    IN      A      69.25.27.170
    lsjfldsjsdf.mydomain.net.      1800    IN      A      63.251.171.81
    lsjfldsjsdf.mydomain.net.      1800    IN      A      63.251.171.80
    lsjfldsjsdf.mydomain.net.      1800    IN      A      69.25.27.173
    lsjfldsjsdf.mydomain.net.      1800    IN      A      66.150.161.141


  • Banned

    
    ; <<>> DiG 9.9.6-P1 <<>> testhost.lasjlfdsjfdzlsjfdljfdszljwslfe @4.2.2.2
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61611
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;testhost.lasjlfdsjfdzlsjfdljfdszljwslfe. IN A
    
    ;; ANSWER SECTION:
    testhost.lasjlfdsjfdzlsjfdljfdszljwslfe. 10 IN A 198.105.244.11
    testhost.lasjlfdsjfdzlsjfdljfdszljwslfe. 10 IN A 198.105.254.11
    
    ;; Query time: 49 msec
    ;; SERVER: 4.2.2.2#53(4.2.2.2)
    ;; WHEN: Wed Sep 09 14:08:53 CEST 2015
    ;; MSG SIZE  rcvd: 89
    
    

    You must "love" such "service", no?  ::) ::) ::)



  • I apologize, I should have been more specific.  I replaced my internal domain name (for security purpose) with "mydomain.net".  I'll try switching the public DNS server with my ISP's to see if the problem goes away.

    Thank you.

    vhtan00


  • Rebel Alliance Global Moderator

    yeah I am with you dok.. Got to love the dns services that hand out parking and nonsense with nx domains vs nx..

    Which is part of the reason I run a RESOLVER vs Forwarder ;)

    If you don't want such stuff to happen resolve don't forward would be my suggestion.. Many of the pop public name servers do that.. opendns was one of the first that was terrible at it with redirects, they got a lot of gruff about it too.

    google hasn't started doing it that I am aware

    C:>dig @8.8.8.8 lsjfdlsjsfd.odsjldsjfslfd.com

    ; <<>> DiG 9.10.3rc1 <<>> @8.8.8.8 lsjfdlsjsfd.odsjldsjfslfd.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10285
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;lsjfdlsjsfd.odsjldsjfslfd.com. IN      A

    ;; AUTHORITY SECTION:
    com.                    899    IN      SOA    a.gtld-servers.net. nstld.verisign-grs.com. 1441801312 1800 900 604800 86400

    ;; Query time: 83 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Wed Sep 09 07:22:12 Central Daylight Time 2015
    ;; MSG SIZE  rcvd: 131