another unknown domain has a record pointing to my domain

If I do a reverse DNS lookup on my domain's public IP address, I see an unknown domain in the list of websites that use this IP address.
This unknown domain does not belong to me but to a jeefang cheng in Fuzhou City China, who also owns 960 other domains.

I know it's not illegal, but WHAT EXACTLY can jeefang chen gain from this?

- boosting the ranking of the other domain?
- some kind of impersonation that depends on reverse DNS
- spamming by spoofing my e-mail addresses?
- stealing passwords that are used ot access my domain?

I can't quite see how any of these might work... All ideas and clarification welcome
LVL 16
Carol ChisholmAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PapertripCommented:
- boosting the ranking of the other domain?
Possibly.
- some kind of impersonation that depends on reverse DNS
Nope.
- spamming by spoofing my e-mail addresses?
Possibly.  An easy fix you should have in place for that anyways is an SPF record for your domain.
- stealing passwords that are used ot access my domain?
Nope.
0
PapertripCommented:
Basically for anything malicious to happen here, that person would need control of either your forward or reverse zones.
0
xtermCommented:
If you are doing a REVERSE lookup, then the record assigned to your IP is probably just one that was previously used, and your current IP host can fix this.

If the IP address is say 1.2.3.4, then you can find who the authoritative source is for inverse DNS by doing:'

$>  dig ns 4.3.2.1.in-addr.arpa

And look for the line that says something like:

;; AUTHORITY SECTION:
3.2.1.in-addr.arpa.     58      IN      SOA     ns1.somedomain.com. dns-admin.somedomain.com. 1466765 21600 3600 1209600 10800

That "ns1.somedomain.com" is who is actually in charge of inverse DNS for that IP - you should recognize the domain as your own host provider.  Simply email them and tell them to change the PTR (aka pointer) record for your IP to yourhost.yourdomain.com.

As to the questions about what jeefang chen can gain from that records, the answer is a strong NO to all 4 questions - they get nothing from this.  It's just record keeping.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Carol ChisholmAuthor Commented:
@xterm you have not understood the problem: the unwanted record if not at my ISP but at another ISP, owned by a person in Chiny with whom I have no contact.
Is is not a "left over record, my domain has been at the same ISP and address for years, and the other domain is in a completely different IP space.
I will write to thier ISP, but what I am interested in is why they should do this and what their interest might be.
0
PapertripCommented:
Hi carolchi,

Put your IP into http://www.kloth.net/services/dig.php , change Query type to PTR, click 'Look it up'.  If the PTR resolves to your hostname, then you are good.

What the person in China can accomplish with having an A record pointing to your IP are slim to none.

No need to concern yourself with this.
0
xtermCommented:
@carolchi
I understand the problem perfectly if you described it accurately.

There are two types of DNS, forward and reverse.

When you look up a  name, and it returns an IP, that is called forward DNS.
ie.  nslookup ibm.com = 129.42.38.1
In this case, the DOMAIN owner has control of this record, and can make it whatever he wants.

If you look up an IP and it returns a name, that is called inverse or reverse DNS:
ie. nslookup 129.42.38.1 = redirect.www.ibm.com

IBM controls the first one, because they run DNS for their own domain name.  HOWEVER, they have no control over what appears for the second one - that is controlled by the IP owner, or whomever is delegated inverse DNS for the IP range:

ie.
$> dig ns 1.38.42.129.in-addr.arpa

;; AUTHORITY SECTION:
38.42.129.in-addr.arpa. 10800   IN      SOA     ns1.events.ihost.com. hostmaster.events.ihost.com. 2010081800 7200 1800 604800 28800

This means, IBM (just like you) can make ibm.com look up to whatever it wants to, but it has no control over what it's IP address resolves to because that is handled by ihost.com (in this case, its also a sister company, but you get the point.)

I hope I'm explaining it clearly.  Can you just tell me the actual IP address so I can use the real example?
0
PapertripCommented:
What the person in China can accomplish with having an A record pointing to your IP are slim to none.
No need to concern yourself with this.
Rephrase:
What the person in China can accomplish with having an A record pointing to your IP is nothing to be concerned with.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
xtermCommented:
I guess what I'm saying is that if its not a leftover record, and it just appeared, then its a newly made mistake by your CURRENT IP host.  Only they can control what your IP address resolves to.

And they can make it resolve to whatever they want, so if they gave you IP 4.3.2.1, they can make it be some.china.company.com, or they can make it alien.from.outer.space - it doesn't matter - the result given by a PTR lookup does not necessarily have anything to do with the source.
0
PapertripCommented:
@xterm -- I think what he is seeing is some list of known hostnames that have been pointed to his IP at some point in the past.
0
PapertripCommented:
*or currently pointed to for that matter.
0
xtermCommented:
>If I do a reverse DNS lookup on my domain's public IP address, I see an unknown domain in the list of websites that use this IP address.
This unknown domain does not belong to me but to a jeefang cheng in Fuzhou City China, who also owns 960 other domains

@Papertrip
I don't think so - I am sure he is doing an nslookup up on his IP address, and it's returning multiple PTRs due to a mistake at his ISP that just recently happened.  And only his ISP can change the inverse DNS on his IP - nobody in China or anywhere else has any ability to change this unless the IP owner has specifically delegated authority for inverse to the remote provider.  I can look this up if we get the IP though and confirm this 100%
0
xtermCommented:
@carolchi
Please supply the IP address and I will tell you with certainty who is responsible for configuring the unknown domain
0
PapertripCommented:
I see your side and mine as possibilities, but we are just guessing at that at this point.

Let's see what he comes back with from the dig ptr lookup... I think this just might be some wording confusion.
0
PapertripCommented:
Also please provide a link to the tool you used that showed this China domain.

Perhaps I'm putting too much faith in his ISP not creating multiple PTR's for his IP...  Honestly I'm not even sure if BIND will allow that, not about to test it.
0
xtermCommented:
BIND absolutely allows it - I used to do it for customers until I decided I wasn't in favor of the RFC, and changed policy.

But I don't think they did it on purpose - I think they just overlapped PTRs for another IP - its incredibly simple to fat-finger a zone file in this manner, since you use vi to edit it and usually just copy the previous line and edit it to form the new PTR.  My staff has done it a million times.
0
PapertripCommented:
A great reason to convert your zones to dynamic and train your staff to use nsupdate ;)
0
PapertripCommented:
Alright well now I'm even more curious as to what the PTR results will show!
0
xtermCommented:
>  A great reason to convert your zones to dynamic and train your staff to use nsupdate ;)

Touche.

But I'll accept your crow in return when carolchi posts the IP address with the bad PTR :)
0
Carol ChisholmAuthor Commented:
I go to domaintools.com
I type in the IP address of my domain.

Domaintools returns various details including:
ReverseIP: that 5 domains are using this address (4 domains are mine, variants on the domain name, one belongs to Jeefang Chen).

My domains are at my ISP are not co-hosted and have been at the same IP address for years.

The spurious domain belonging to jeefang chan is at another ISP, and seems to have no purpose other than to refer traffic to my domain.
0
PapertripCommented:
I go to domaintools.com
Please use the tool I linked at http:#37060970 and paste the output.  Sanitize it as you see fit, but don't mangle the output too much.
0
xtermCommented:
Which exact tool are you entering your IP in on domaintools.com?

Can you give us the URL?

Does "nslookup <spurious.domain>" resolve to your IP?

Or does "nslookup <your ip>" resolve to spurious.domain?

It would be most helpful if you could supply the IP and domain in question.
0
Carol ChisholmAuthor Commented:
If you do the same for IBM.com (129.42.56.216) there are 3 domains: ibm.com, ibm.com.lc and conspark.com)
Interestingly this is a similar case: conspark.com has nothing to do with IBM, has tucows as registrar.
If I type www.conspark.com into my browser I arrive at IBM's website!

Just trying to understand WHY? It can't be a mistake.
0
PapertripCommented:
Touche.

But I'll accept your crow in return when carolchi posts the IP address with the bad PTR :)

We can both be on the same team xterm :p  Many questions can be answered by both/either of us, there are plenty of points to go around.  Aside from that, we can always learn new things from each other.
0
PapertripCommented:
It would be most helpful if you could supply the IP and domain in question.
Yar.
0
xtermCommented:
@Papertrip:
I know, just having fun with it!  We are on the same team.

@carolchi:
Okay, that makes sense.  My guess is that if the china domain still points to that IP, it is old (maybe they had that IP years ago) or its just a typo, but I don't think there's anything malicious, and unless there is a ton of traffic coming to your host as a result, it doesn't hurt you in any way, nor expose you to any risk.
0
PapertripCommented:
Please, for xterm's and my sanity, paste at least one of the following:

Output from kloth.net PTR lookup
Actual IP you are concerned with
Tool you used that found the China domain (will still need the IP to verify from our end)

I promise this question can be closed in single reply to any of those questions.
0
PapertripCommented:
I promise this question can be closed in single reply to any of those questions.
s/closed/answered/
0
Carol ChisholmAuthor Commented:
Here you go: a real IP to get your teeth into:

My domain is not IBM.com but IBM.com has an identical record

Go to domaintools.com
type 129.42.56.216 into the box beside the big yellow search for domain button

Domaintools returns various details including:
ReverseIP: that 3 domains are using this address there : ibm.com, ibm.com.lc and conspark.com)

Conspark.com has nothing to do with IBM, it belongs to someone in Poland, just by the Russian border, has tucows as registrar.
If I type www.conspark.com into my browser I arrive at IBM's website!

Just trying to understand WHY? It can't be a mistake.
0
Carol ChisholmAuthor Commented:
To get to conspark.com I just click on the link in domain tools and read the whois.
0
PapertripCommented:
Here you go: a real IP to get your teeth into:
type 129.42.56.216 into the box beside the big yellow search for domain button
That is an IBM IP.

Need your IP.
0
xtermCommented:
Could be any number of reasons, maybe just some old domain that they used to use.

For example, my domain is mygrande.com, pull that up in a browser.

Then go to texastripleplay.net

That's just some old domain we used like a billion years ago for some promotion - happens all the time.  domaintools.com keeps the history forever.  It's not really a big deal.

You can set your webserver to throw a custom 404 if you want to send a message to any visitors hitting spurious.domain :)
0
PapertripCommented:
Can we all just agree on one thing here -- if the PTR record for your IP resolves to your domain, then there is nothing to be concerned with.
0
xtermCommented:
BTW, you are on experts-exchange.com and only people who have a valid account here can actually read these posts, so your IP/host data (which isn't really sensitive to begin with) can be shared freely without fear of prying eyes.

And really, it makes it a lot tougher for us experts to help you conceptually rather than substantively.
0
Carol ChisholmAuthor Commented:
I know that, it's more that the whole subject of what sort of monitoring of domains is an internal hot potato at the moment. Answer the question for IBM and I'll be happy.
0
PapertripCommented:
BTW, you are on experts-exchange.com and only people who have a valid account here can actually read these posts, so your IP/host data (which isn't really sensitive to begin with) can be shared freely without fear of prying eyes.

Can we make that a comment when creating new questions please.

A very visible one.
0
PapertripCommented:
I know that, it's more that the whole subject of what sort of monitoring of domains is an internal hot potato at the moment. Answer the question for IBM and I'll be happy.
If your PTR record points to your domain, this issue is resolved.
0
Carol ChisholmAuthor Commented:
MX records for mistyped domain names I cna understand.
But WHY someone in Poland wants to buy a domain called conspark.com and then direct all the traffic to IBM.com I am less clear about.

0
xtermCommented:
I did answer the question about IBM above - conspark.com  is probably just some domain they used for some pet project some time ago.  Unfortunately, they disabled crawling using robots.txt, so we can't look at it in the wayback machine at web.archive.org.  But you can probably pick just about any popular site IP and see other sites associated with it.
0
xtermCommented:
I understand it seems weird to you to see that extra record, but as to these:

- boosting the ranking of the other domain?
- some kind of impersonation that depends on reverse DNS
- spamming by spoofing my e-mail addresses?
- stealing passwords that are used ot access my domain?

None of them are possible at all, so the main thing is that your security is not compromised on any level whether this is intentional, or whether it's accidental (which I'm about 100% sure of)
0
Carol ChisholmAuthor Commented:
not really got an answer
0
xtermCommented:
wow.  The answer you accepted looks remarkably like the one I posted a day earlier though:

"As to the questions about what jeefang chen can gain from that records, the answer is a strong NO to all 4 questions - they get nothing from this.  It's just record keeping."

At worst, that should've been an equal split.  Not only that, neither of us had given up on helping you.  At any rate, good luck and hope you find out what you're looking for.
0
PapertripCommented:
:-/
0
PapertripCommented:
If you object xterm I got ya...
0
Carol ChisholmAuthor Commented:
I'm overwhelmed with the volume of unstructured questions and chat.
I remain unconvinced that it's a mistake.
I will pursue the problem elsewhere.
0
xtermCommented:
@carolchi:
You had two industry professionals brainstorming to help come up with answer to something that you wouldn't disclose full details on, and neither quit.  But that is your prerogative, and I wish you the best finding what you are looking for.  It would however be nice that if (when) you corroborate what we've told you in terms of what I perceive to be your core issue, that your system is at no security risk, that you drop back by and update the thread to say that you concur.  That would make our efforts worthwhile.

@Papertrip:
No objection - I enjoyed working with you trying to come up with a solution, I'm sure we'll tag-team plenty of others.
0
PapertripCommented:
We asked several times for specific information that you never provided.  We gave accurate and complete answers (several times) given the information provided.  Instead of focusing on the initial question and accepting our explanations, you decided to focus on why some random domain resolved to an IBM at some point in the history of the internet.

In the end it's up to you to accept or not the advice given on experts-exchange, even when it is staring you in the face.
0
PapertripCommented:
Yeah, xterm said it better.
0
Carol ChisholmAuthor Commented:
I would suggest that you brainstorm a bit more quietly.
No need to get annoyed but the volume of chat was unbearable and not at all easy to follow.
And as for ploughing through all your chat and witty comments trying to identify a best answer - I have other things to do.

I'm sure you are both very professional and know a lot more than I do.
If I don't with to disclose information, that's my problem. I understand it is not security sensitive.



0
PapertripCommented:
I will work on my telepathic brainstorming, thank you for the advice.

Have a good one!
0
xtermCommented:
@Papertrip:
My email is fourthdown at gmail dot com - hit me offline & maybe in the future if we need to take comments outside of this interface, we can.  It's never been a problem in other threads that I helped folks on this site with (they are usually happy that it's not all technical banter) but different strokes I guess. Drop me a line.
0
Carol ChisholmAuthor Commented:
OK guys now I have to find out about companies who might provide monitoring services for this kind of thing (and MX records for typos and doppelgangers and all sorts of other paranoid stuff). Since you're industry professionals do you work for companies that provide this kind of service. Hundreds of domains...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Servers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.