Spoofed DNS server?
Gerald Combs
gerald at ethereal.com
Sun Apr 14 01:05:13 CDT 2002
On Sat, 13 Apr 2002, hanasaki wrote:
> Any thoughts on this? Thanks
According to ARIN, 205.188.157.225 is owned by AOL:
bam:/home/gerald> whois 205.188.157.225 at whois.arin.net
[whois.arin.net]
America Online, Inc (NETBLK-AOL-DTC)
22080 Pacific Blvd
Sterling, VA 20166
US
Netname: AOL-DTC
Netblock: 205.188.0.0 - 205.188.255.255
Coordinator:
America Online, Inc. (AOL-NOC-ARIN) domains at AOL.NET
703-265-4670
Domain System inverse mapping provided by:
DNS-01.NS.AOL.COM 152.163.159.232
DNS-02.NS.AOL.COM 205.188.157.232
Record last updated on 27-Apr-1998.
Database last updated on 12-Apr-2002 19:59:01 EDT.
A quick Google search for "named 'Response from unexpected source'
turns up this message from the bind-users mailing list as the first hit:
http://www.isc.org/ml-archives/bind-users/1999/02/msg00540.html. It says:
"The message means that it's sending queries to one address, but
the reply is coming from a different address. Normally this means
that you sent to a multi-homed server running an old version of BIND,
which doesn't set the source address of a response to the destination
of the corresponding query."
So, either AOL's name server is apparently running an "old version of
BIND," or some other DNS server software that doesn't handle responses
on a multi-homed host in a strictly correct manner.
> ==========
> Apr 13 18:38:54 portal named[230]: Response from unexpected source
> ([205.188.157.225].50) for query "mailin-04.mx.aol.com IN A"
> ===========
> host 205.188.157.225
> Name: dtc-ext1.ns.aol.com
> Address: 205.188.157.225
> ==========
> host mailin-04.mx.aol.com
> mailin-04.mx.aol.com A 64.12.137.121
> mailin-04.mx.aol.com A 64.12.137.152
> mailin-04.mx.aol.com A 152.163.224.122
> mailin-04.mx.aol.com A 64.12.136.153
>
> --
> = hanasaki at hanaden.com =
> = Spam : Just Say NO! =
>
>
>
>
More information about the Kclug
mailing list