Educause Security Discussion mailing list archives

Re: DNS weird stuff

From: Peter Moody <peter () UCSC EDU>
Date: Tue, 23 Nov 2004 13:13:03 -0800

On Tue, 2004-11-23 at 15:05 -0600, Anthony Schroeder wrote:

anyone seeing loopback addresses being reported by DNS:

Non-authoritative answer:
Name:    goodgirlz.com
Address:  127.0.0.1


Often times, when a domain is associated with IRC Command and Control
(C&C) traffic, the dns administrators will re-address the A records in
order to prevent clients from communicating with the C&C server.
Sometimes they throw them in RFC1918 space and sometimes they throw them
in 127/8.  It really depends on what the policy of the particular name
service company is.

Having said that, I don't see any of those domains in any list of known
C&C servers.

If you really want to get to the bottom of this, I would attempt to
contact the name service providers and ask them.

   Domain servers in listed order:

   NS.NEWDREAM.NET              66.33.206.6
   NS2.NEWDREAM.NET             209.17.93.94

Regards,
-Peter
-- 
Peter Moody                             <peter () ucsc edu>
Information Security Administrator          831/459.5409
Communications and Technology Services.   UC, Santa Cruz.
http://security.ucsc.edu/pgp/peter.moody.pub      AS5739
:wq

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

DNS weird stuff Anthony Schroeder (Nov 23)
- <Possible follow-ups>
- Re: DNS weird stuff Peter Moody (Nov 23)
- Re: DNS weird stuff Steven Alexander (Nov 23)