strange DNS lookup

Could somebody help me explain this:
$ dig @194.239.10.41 www.8ingatlan.hu

; <<>> DiG 9.3.1 <<>> @194.239.10.41 www.8ingatlan.hu
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29943
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.8ingatlan.hu. IN A

;; ANSWER SECTION:
www.8ingatlan.hu. 41085 IN A 192.168.0.1

;; Query time: 172 msec
;; SERVER: 194.239.10.41#53(194.239.10.41)
;; WHEN: Wed Feb 1 22:25:57 2006
;; MSG SIZE rcvd: 50


The 194.239.10.41 is the IP of my ISP's DNS server. I wonder why that name
resolves to 192.168.0.1, shouldn't that be a RFC1918 reserved adress by
IANA? A friend of mine with a different ISP gets the same result using the
DNS server of his ISP.

kind regards
Jacob Kristensen

On Wed, 01 Feb 2006 22:34:41 +0100, Jacob Kristensen wrote:

>
> Could somebody help me explain this:
> $ dig @194.239.10.41 www.8ingatlan.hu
>
> ; <<>> DiG 9.3.1 <<>> @194.239.10.41 www.8ingatlan.hu
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29943
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.8ingatlan.hu. IN A
>
> ;; ANSWER SECTION:
> www.8ingatlan.hu. 41085 IN A 192.168.0.1
>
> ;; Query time: 172 msec
> ;; SERVER: 194.239.10.41#53(194.239.10.41)
> ;; WHEN: Wed Feb 1 22:25:57 2006
> ;; MSG SIZE rcvd: 50
>
>
> The 194.239.10.41 is the IP of my ISP's DNS server. I wonder why that name
> resolves to 192.168.0.1, shouldn't that be a RFC1918 reserved adress by
> IANA? A friend of mine with a different ISP gets the same result using the
> DNS server of his ISP.
>
> kind regards
> Jacob Kristensen

Your correct in that 192.168 is an RFC1918 reserved address but it does
not stop anyone from simply just making www.8ingatlan.hu resolve to
anything they want.

For example:

badrfc IN A 192.168.1.45

Throw that in a domain zone file in BIND and you've got it.

Now why they would do this is anyones guess. Could be malicious tricks?
What exactly is www.8ingatlan.hu?

--
Nick DePetrillo
Network Security Engineer
OSHEAN
PGP Key: http://pgp.mit.edu:11371/pks/lookup?...rch=0x121245B5

On Wed, 01 Feb 2006 16:52:19 -0500, Nicholas DePetrillo wrote:

> On Wed, 01 Feb 2006 22:34:41 +0100, Jacob Kristensen wrote:
>
>>
>> Could somebody help me explain this:
>>...
>> kind regards
>> Jacob Kristensen
>
> Your correct in that 192.168 is an RFC1918 reserved address but it does
> not stop anyone from simply just making www.8ingatlan.hu resolve to
> anything they want.
>
> For example:
>
> badrfc IN A 192.168.1.45
>
> Throw that in a domain zone file in BIND and you've got it.
>
> Now why they would do this is anyones guess. Could be malicious tricks?
> What exactly is www.8ingatlan.hu?
The trojan Bagle attempts to contact a number of hosts to download
something, one of them is www.8ingatlan.hu:
http://www.nod32.com/msgs/bagledd.htm
I manage a small network in a dormitory. I noticed the name in ntop,
thought it looked strange, googled it, found out it had something to do
with a trojan, decided to do a dig on it and was a bit surprised. But if
it is nothing dangerous I will just relax; perhaps tell people to update
their antivirus.

Thanks for the input
Jacob Kristensen

On Wed, 01 Feb 2006 23:23:35 +0100, Jacob Kristensen wrote:

> On Wed, 01 Feb 2006 16:52:19 -0500, Nicholas DePetrillo wrote:
>
>> On Wed, 01 Feb 2006 22:34:41 +0100, Jacob Kristensen wrote:
>>
>>>
>>> Could somebody help me explain this:
>>>...
>>> kind regards
>>> Jacob Kristensen
>>
>> Your correct in that 192.168 is an RFC1918 reserved address but it does
>> not stop anyone from simply just making www.8ingatlan.hu resolve to
>> anything they want.
>>
>> For example:
>>
>> badrfc IN A 192.168.1.45
>>
>> Throw that in a domain zone file in BIND and you've got it.
>>
>> Now why they would do this is anyones guess. Could be malicious tricks?
>> What exactly is www.8ingatlan.hu?
> The trojan Bagle attempts to contact a number of hosts to download
> something, one of them is www.8ingatlan.hu:
> http://www.nod32.com/msgs/bagledd.htm
> I manage a small network in a dormitory. I noticed the name in ntop,
> thought it looked strange, googled it, found out it had something to do
> with a trojan, decided to do a dig on it and was a bit surprised. But if
> it is nothing dangerous I will just relax; perhaps tell people to update
> their antivirus.
>
> Thanks for the input
> Jacob Kristensen

I see now, I should have checked Google myself for that information. It
says:

"Bagle.DD creates its own timed threads for interval downloading.
It will try to download files from the following internet locations every
4 hours."

So they probably changed that domain name to resolve to an
invalid IP as to stop the spread of whatever Bagle was downloading. That
sounds like a plausible answer. They chose an RFC1918 address so it would
never have to go outside a network and waste resources. It would usually
depending on the network stay internal, like behind a cable modem
subscribers Linksys router.

--
Nick DePetrillo
Network Security Engineer
OSHEAN
PGP Key: http://pgp.mit.edu:11371/pks/lookup?...rch=0x121245B5

On Wed, 01 Feb 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed) x>,
Jacob Kristensen wrote:

>Could somebody help me explain this:
>$ dig @194.239.10.41 www.8ingatlan.hu

>www.8ingatlan.hu. 41085 IN A 192.168.0.1

Apparently, the person who owns that domain is tired of worms banging
on the site, and set the name server to return that answer. Do a whois
lookup of the domain at RIPE, and it refers you to

domain_pri_ns: ns4.rooter.hu[195.228.155.39]

and that name server is providing the RFC1918 answer with a TTL of 12 hours.

;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;; www.8ingatlan.hu, type = A, class = IN

;; ANSWER SECTION:
www.8ingatlan.hu. 12H IN A 192.168.0.1

;; AUTHORITY SECTION:
8ingatlan.hu. 12H IN NS ns4.rooter.hu.
8ingatlan.hu. 12H IN NS ns1.rooter.hu.

;; ADDITIONAL SECTION:
ns1.rooter.hu. 1H IN A 195.228.254.116
ns4.rooter.hu. 1H IN A 195.228.155.39

>A friend of mine with a different ISP gets the same result using the
>DNS server of his ISP.

because the authoratative server for the domain is providing that as
the answer.

Old guy