[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

another unknown domain has a record pointing to my domain

Posted on 2011-10-31
51
Medium Priority
?
424 Views
Last Modified: 2012-05-12
If I do a reverse DNS lookup on my domain's public IP address, I see an unknown domain in the list of websites that use this IP address.
This unknown domain does not belong to me but to a jeefang cheng in Fuzhou City China, who also owns 960 other domains.

I know it's not illegal, but WHAT EXACTLY can jeefang chen gain from this?

- boosting the ranking of the other domain?
- some kind of impersonation that depends on reverse DNS
- spamming by spoofing my e-mail addresses?
- stealing passwords that are used ot access my domain?

I can't quite see how any of these might work... All ideas and clarification welcome
0
Comment
Question by:Carol Chisholm
  • 24
  • 16
  • 11
51 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 37058986
- boosting the ranking of the other domain?
Possibly.
- some kind of impersonation that depends on reverse DNS
Nope.
- spamming by spoofing my e-mail addresses?
Possibly.  An easy fix you should have in place for that anyways is an SPF record for your domain.
- stealing passwords that are used ot access my domain?
Nope.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37058992
Basically for anything malicious to happen here, that person would need control of either your forward or reverse zones.
0
 
LVL 19

Expert Comment

by:xterm
ID: 37059033
If you are doing a REVERSE lookup, then the record assigned to your IP is probably just one that was previously used, and your current IP host can fix this.

If the IP address is say 1.2.3.4, then you can find who the authoritative source is for inverse DNS by doing:'

$>  dig ns 4.3.2.1.in-addr.arpa

And look for the line that says something like:

;; AUTHORITY SECTION:
3.2.1.in-addr.arpa.     58      IN      SOA     ns1.somedomain.com. dns-admin.somedomain.com. 1466765 21600 3600 1209600 10800

That "ns1.somedomain.com" is who is actually in charge of inverse DNS for that IP - you should recognize the domain as your own host provider.  Simply email them and tell them to change the PTR (aka pointer) record for your IP to yourhost.yourdomain.com.

As to the questions about what jeefang chen can gain from that records, the answer is a strong NO to all 4 questions - they get nothing from this.  It's just record keeping.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 16

Author Comment

by:Carol Chisholm
ID: 37060951
@xterm you have not understood the problem: the unwanted record if not at my ISP but at another ISP, owned by a person in Chiny with whom I have no contact.
Is is not a "left over record, my domain has been at the same ISP and address for years, and the other domain is in a completely different IP space.
I will write to thier ISP, but what I am interested in is why they should do this and what their interest might be.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37060970
Hi carolchi,

Put your IP into http://www.kloth.net/services/dig.php , change Query type to PTR, click 'Look it up'.  If the PTR resolves to your hostname, then you are good.

What the person in China can accomplish with having an A record pointing to your IP are slim to none.

No need to concern yourself with this.
0
 
LVL 19

Expert Comment

by:xterm
ID: 37060973
@carolchi
I understand the problem perfectly if you described it accurately.

There are two types of DNS, forward and reverse.

When you look up a  name, and it returns an IP, that is called forward DNS.
ie.  nslookup ibm.com = 129.42.38.1
In this case, the DOMAIN owner has control of this record, and can make it whatever he wants.

If you look up an IP and it returns a name, that is called inverse or reverse DNS:
ie. nslookup 129.42.38.1 = redirect.www.ibm.com

IBM controls the first one, because they run DNS for their own domain name.  HOWEVER, they have no control over what appears for the second one - that is controlled by the IP owner, or whomever is delegated inverse DNS for the IP range:

ie.
$> dig ns 1.38.42.129.in-addr.arpa

;; AUTHORITY SECTION:
38.42.129.in-addr.arpa. 10800   IN      SOA     ns1.events.ihost.com. hostmaster.events.ihost.com. 2010081800 7200 1800 604800 28800

This means, IBM (just like you) can make ibm.com look up to whatever it wants to, but it has no control over what it's IP address resolves to because that is handled by ihost.com (in this case, its also a sister company, but you get the point.)

I hope I'm explaining it clearly.  Can you just tell me the actual IP address so I can use the real example?
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 1500 total points
ID: 37060978
What the person in China can accomplish with having an A record pointing to your IP are slim to none.
No need to concern yourself with this.
Rephrase:
What the person in China can accomplish with having an A record pointing to your IP is nothing to be concerned with.
0
 
LVL 19

Expert Comment

by:xterm
ID: 37060980
I guess what I'm saying is that if its not a leftover record, and it just appeared, then its a newly made mistake by your CURRENT IP host.  Only they can control what your IP address resolves to.

And they can make it resolve to whatever they want, so if they gave you IP 4.3.2.1, they can make it be some.china.company.com, or they can make it alien.from.outer.space - it doesn't matter - the result given by a PTR lookup does not necessarily have anything to do with the source.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37060990
@xterm -- I think what he is seeing is some list of known hostnames that have been pointed to his IP at some point in the past.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37060994
*or currently pointed to for that matter.
0
 
LVL 19

Expert Comment

by:xterm
ID: 37060997
>If I do a reverse DNS lookup on my domain's public IP address, I see an unknown domain in the list of websites that use this IP address.
This unknown domain does not belong to me but to a jeefang cheng in Fuzhou City China, who also owns 960 other domains

@Papertrip
I don't think so - I am sure he is doing an nslookup up on his IP address, and it's returning multiple PTRs due to a mistake at his ISP that just recently happened.  And only his ISP can change the inverse DNS on his IP - nobody in China or anywhere else has any ability to change this unless the IP owner has specifically delegated authority for inverse to the remote provider.  I can look this up if we get the IP though and confirm this 100%
0
 
LVL 19

Expert Comment

by:xterm
ID: 37060999
@carolchi
Please supply the IP address and I will tell you with certainty who is responsible for configuring the unknown domain
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061002
I see your side and mine as possibilities, but we are just guessing at that at this point.

Let's see what he comes back with from the dig ptr lookup... I think this just might be some wording confusion.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061011
Also please provide a link to the tool you used that showed this China domain.

Perhaps I'm putting too much faith in his ISP not creating multiple PTR's for his IP...  Honestly I'm not even sure if BIND will allow that, not about to test it.
0
 
LVL 19

Expert Comment

by:xterm
ID: 37061018
BIND absolutely allows it - I used to do it for customers until I decided I wasn't in favor of the RFC, and changed policy.

But I don't think they did it on purpose - I think they just overlapped PTRs for another IP - its incredibly simple to fat-finger a zone file in this manner, since you use vi to edit it and usually just copy the previous line and edit it to form the new PTR.  My staff has done it a million times.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061022
A great reason to convert your zones to dynamic and train your staff to use nsupdate ;)
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061023
Alright well now I'm even more curious as to what the PTR results will show!
0
 
LVL 19

Expert Comment

by:xterm
ID: 37061030
>  A great reason to convert your zones to dynamic and train your staff to use nsupdate ;)

Touche.

But I'll accept your crow in return when carolchi posts the IP address with the bad PTR :)
0
 
LVL 16

Author Comment

by:Carol Chisholm
ID: 37061031
I go to domaintools.com
I type in the IP address of my domain.

Domaintools returns various details including:
ReverseIP: that 5 domains are using this address (4 domains are mine, variants on the domain name, one belongs to Jeefang Chen).

My domains are at my ISP are not co-hosted and have been at the same IP address for years.

The spurious domain belonging to jeefang chan is at another ISP, and seems to have no purpose other than to refer traffic to my domain.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061039
I go to domaintools.com
Please use the tool I linked at http:#37060970 and paste the output.  Sanitize it as you see fit, but don't mangle the output too much.
0
 
LVL 19

Expert Comment

by:xterm
ID: 37061040
Which exact tool are you entering your IP in on domaintools.com?

Can you give us the URL?

Does "nslookup <spurious.domain>" resolve to your IP?

Or does "nslookup <your ip>" resolve to spurious.domain?

It would be most helpful if you could supply the IP and domain in question.
0
 
LVL 16

Author Comment

by:Carol Chisholm
ID: 37061042
If you do the same for IBM.com (129.42.56.216) there are 3 domains: ibm.com, ibm.com.lc and conspark.com)
Interestingly this is a similar case: conspark.com has nothing to do with IBM, has tucows as registrar.
If I type www.conspark.com into my browser I arrive at IBM's website!

Just trying to understand WHY? It can't be a mistake.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061047
Touche.

But I'll accept your crow in return when carolchi posts the IP address with the bad PTR :)

We can both be on the same team xterm :p  Many questions can be answered by both/either of us, there are plenty of points to go around.  Aside from that, we can always learn new things from each other.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061049
It would be most helpful if you could supply the IP and domain in question.
Yar.
0
 
LVL 19

Expert Comment

by:xterm
ID: 37061055
@Papertrip:
I know, just having fun with it!  We are on the same team.

@carolchi:
Okay, that makes sense.  My guess is that if the china domain still points to that IP, it is old (maybe they had that IP years ago) or its just a typo, but I don't think there's anything malicious, and unless there is a ton of traffic coming to your host as a result, it doesn't hurt you in any way, nor expose you to any risk.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061069
Please, for xterm's and my sanity, paste at least one of the following:

Output from kloth.net PTR lookup
Actual IP you are concerned with
Tool you used that found the China domain (will still need the IP to verify from our end)

I promise this question can be closed in single reply to any of those questions.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061074
I promise this question can be closed in single reply to any of those questions.
s/closed/answered/
0
 
LVL 16

Author Comment

by:Carol Chisholm
ID: 37061089
Here you go: a real IP to get your teeth into:

My domain is not IBM.com but IBM.com has an identical record

Go to domaintools.com
type 129.42.56.216 into the box beside the big yellow search for domain button

Domaintools returns various details including:
ReverseIP: that 3 domains are using this address there : ibm.com, ibm.com.lc and conspark.com)

Conspark.com has nothing to do with IBM, it belongs to someone in Poland, just by the Russian border, has tucows as registrar.
If I type www.conspark.com into my browser I arrive at IBM's website!

Just trying to understand WHY? It can't be a mistake.
0
 
LVL 16

Author Comment

by:Carol Chisholm
ID: 37061097
To get to conspark.com I just click on the link in domain tools and read the whois.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061098
Here you go: a real IP to get your teeth into:
type 129.42.56.216 into the box beside the big yellow search for domain button
That is an IBM IP.

Need your IP.
0
 
LVL 19

Expert Comment

by:xterm
ID: 37061100
Could be any number of reasons, maybe just some old domain that they used to use.

For example, my domain is mygrande.com, pull that up in a browser.

Then go to texastripleplay.net

That's just some old domain we used like a billion years ago for some promotion - happens all the time.  domaintools.com keeps the history forever.  It's not really a big deal.

You can set your webserver to throw a custom 404 if you want to send a message to any visitors hitting spurious.domain :)
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061105
Can we all just agree on one thing here -- if the PTR record for your IP resolves to your domain, then there is nothing to be concerned with.
0
 
LVL 19

Expert Comment

by:xterm
ID: 37061108
BTW, you are on experts-exchange.com and only people who have a valid account here can actually read these posts, so your IP/host data (which isn't really sensitive to begin with) can be shared freely without fear of prying eyes.

And really, it makes it a lot tougher for us experts to help you conceptually rather than substantively.
0
 
LVL 16

Author Comment

by:Carol Chisholm
ID: 37061116
I know that, it's more that the whole subject of what sort of monitoring of domains is an internal hot potato at the moment. Answer the question for IBM and I'll be happy.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061118
BTW, you are on experts-exchange.com and only people who have a valid account here can actually read these posts, so your IP/host data (which isn't really sensitive to begin with) can be shared freely without fear of prying eyes.

Can we make that a comment when creating new questions please.

A very visible one.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061122
I know that, it's more that the whole subject of what sort of monitoring of domains is an internal hot potato at the moment. Answer the question for IBM and I'll be happy.
If your PTR record points to your domain, this issue is resolved.
0
 
LVL 16

Author Comment

by:Carol Chisholm
ID: 37061127
MX records for mistyped domain names I cna understand.
But WHY someone in Poland wants to buy a domain called conspark.com and then direct all the traffic to IBM.com I am less clear about.

0
 
LVL 19

Expert Comment

by:xterm
ID: 37061129
I did answer the question about IBM above - conspark.com  is probably just some domain they used for some pet project some time ago.  Unfortunately, they disabled crawling using robots.txt, so we can't look at it in the wayback machine at web.archive.org.  But you can probably pick just about any popular site IP and see other sites associated with it.
0
 
LVL 19

Expert Comment

by:xterm
ID: 37061139
I understand it seems weird to you to see that extra record, but as to these:

- boosting the ranking of the other domain?
- some kind of impersonation that depends on reverse DNS
- spamming by spoofing my e-mail addresses?
- stealing passwords that are used ot access my domain?

None of them are possible at all, so the main thing is that your security is not compromised on any level whether this is intentional, or whether it's accidental (which I'm about 100% sure of)
0
 
LVL 16

Author Closing Comment

by:Carol Chisholm
ID: 37061141
not really got an answer
0
 
LVL 19

Expert Comment

by:xterm
ID: 37061146
wow.  The answer you accepted looks remarkably like the one I posted a day earlier though:

"As to the questions about what jeefang chen can gain from that records, the answer is a strong NO to all 4 questions - they get nothing from this.  It's just record keeping."

At worst, that should've been an equal split.  Not only that, neither of us had given up on helping you.  At any rate, good luck and hope you find out what you're looking for.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061154
:-/
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061161
If you object xterm I got ya...
0
 
LVL 16

Author Comment

by:Carol Chisholm
ID: 37061164
I'm overwhelmed with the volume of unstructured questions and chat.
I remain unconvinced that it's a mistake.
I will pursue the problem elsewhere.
0
 
LVL 19

Expert Comment

by:xterm
ID: 37061224
@carolchi:
You had two industry professionals brainstorming to help come up with answer to something that you wouldn't disclose full details on, and neither quit.  But that is your prerogative, and I wish you the best finding what you are looking for.  It would however be nice that if (when) you corroborate what we've told you in terms of what I perceive to be your core issue, that your system is at no security risk, that you drop back by and update the thread to say that you concur.  That would make our efforts worthwhile.

@Papertrip:
No objection - I enjoyed working with you trying to come up with a solution, I'm sure we'll tag-team plenty of others.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061312
We asked several times for specific information that you never provided.  We gave accurate and complete answers (several times) given the information provided.  Instead of focusing on the initial question and accepting our explanations, you decided to focus on why some random domain resolved to an IBM at some point in the history of the internet.

In the end it's up to you to accept or not the advice given on experts-exchange, even when it is staring you in the face.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061324
Yeah, xterm said it better.
0
 
LVL 16

Author Comment

by:Carol Chisholm
ID: 37061372
I would suggest that you brainstorm a bit more quietly.
No need to get annoyed but the volume of chat was unbearable and not at all easy to follow.
And as for ploughing through all your chat and witty comments trying to identify a best answer - I have other things to do.

I'm sure you are both very professional and know a lot more than I do.
If I don't with to disclose information, that's my problem. I understand it is not security sensitive.



0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37061381
I will work on my telepathic brainstorming, thank you for the advice.

Have a good one!
0
 
LVL 19

Expert Comment

by:xterm
ID: 37061406
@Papertrip:
My email is fourthdown at gmail dot com - hit me offline & maybe in the future if we need to take comments outside of this interface, we can.  It's never been a problem in other threads that I helped folks on this site with (they are usually happy that it's not all technical banter) but different strokes I guess. Drop me a line.
0
 
LVL 16

Author Comment

by:Carol Chisholm
ID: 37077051
OK guys now I have to find out about companies who might provide monitoring services for this kind of thing (and MX records for typos and doppelgangers and all sorts of other paranoid stuff). Since you're industry professionals do you work for companies that provide this kind of service. Hundreds of domains...
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses
Course of the Month20 days, 4 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question