Thanks & Understood and that is what I had thought. I am trying to help BLS folks to resolve the situation as http requests to that IP from the Internet which is registered with BLS is going to a site which does not belong to us.
Sandeep From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alberto ---- Sent: Saturday, September 17, 2016 12:43 PM Cc: bind-users@lists.isc.org <bind-us...@isc.org> Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization. A security scan is only a probe and does not change in any way a web server content or configuration. performing a http://x1.x2.x3.x4 statement where x... are the 4 IP octect does not involve DNS in any way IP is loaded inside IEEE MAC "train" but work with dottet IPv4 /v6 addresses and not with DNS names. When you ask a NAME (not an IP) is resolved from any DNS configured inside your TCP/IP configuration but if you ask a direct IP , DNS is totally jumped and is a DIRECT CALL ________________________________ From: bind-users <bind-users-boun...@lists.isc.org<mailto:bind-users-boun...@lists.isc.org>> on behalf of Bhangui, Sandeep - BLS CTR <bhangui.sand...@bls.gov<mailto:bhangui.sand...@bls.gov>> Sent: Saturday, September 17, 2016 6:33 PM To: John Miller Cc: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: RE: Organization IP address is getting redirected to a website which does not belong to the organization. Thanks John Security Dept from BLS reported this to our team which manages the DNS and infrastructure. I think some scans run by them on the network may have caught this not sure though. And yes we do not have any record for that IP in our DNS for bls.gov zone. Sandeep -----Original Message----- From: John Miller [mailto:johnm...@brandeis.edu] Sent: Saturday, September 17, 2016 12:14 PM To: Bhangui, Sandeep - BLS CTR <bhangui.sand...@bls.gov<mailto:bhangui.sand...@bls.gov>> Cc: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> <bind-us...@isc.org<mailto:bind-us...@isc.org>> Subject: Re: Organization IP address is getting redirected to a website which does not belong to the organization. Hi Sandeep, The redirect part isn't a DNS issue: I telnetted to port 80 on the IP address and got: john@millspad:~$ telnet 146.142.7.113 80 Trying 146.142.7.113... Connected to 146.142.7.113. Escape character is '^]'. GET / HTTP/1.1 Host: 146.142.7.113 HTTP/1.1 302 Found Date: Sat, 17 Sep 2016 16:30:46 GMT Server: Apache/2.2.22 (Ubuntu) X-Powered-By: PHP/5.4.9-4ubuntu2.3 location: http://www.watcheezy.com/ Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html Connection closed by foreign host. But something is definitely listening on that IP address. Could be a rogue device or some sort of routing issue. Here's a traceroute from the Brandeis network: traceroute to 146.142.7.113 (146.142.7.113), 30 hops max, 60 byte packets 1 129.64.99.1 (129.64.99.1) 1.112 ms 1.127 ms 0.981 ms 2 * * * 3 * * * 4 * * * 5 te0-7-0-23.ccr21.bos01.atlas.cogentco.com (38.97.106.1) 2.471 ms 2.427 ms 2.375 ms 6 be2094.ccr41.jfk02.atlas.cogentco.com (154.54.30.13) 8.046 ms 7.721 ms 7.546 ms 7 be2806.ccr41.dca01.atlas.cogentco.com (154.54.40.106) 13.692 ms 13.661 ms 13.665 ms 8 be2171.ccr41.iad02.atlas.cogentco.com (154.54.31.106) 14.765 ms 14.832 ms 14.701 ms 9 verizon.iad02.atlas.cogentco.com (154.54.10.198) 13.629 ms 204.148.79.53 (204.148.79.53) 12.886 ms 12.862 ms 10 0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195) 49.347 ms 0.ae4.XT2.DCA5.ALTER.NET (140.222.225.207) 15.000 ms 0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195) 49.297 ms 11 GigabitEthernet7-0-0.GW9.DCA5.ALTER.NET (152.63.40.21) 14.489 ms 14.502 ms 14.311 ms 12 bls-gw.customer.alter.net (152.179.53.66) 15.437 ms 16.771 ms 16.918 ms 13 146.142.7.129 (146.142.7.129) 17.427 ms 17.338 ms 17.421 ms 14 146.142.7.96 (146.142.7.96) 20.523 ms 20.475 ms 20.421 ms 15 146.142.7.97 (146.142.7.97) 21.510 ms 21.471 ms 21.409 ms 16 146.142.7.83 (146.142.7.83) 18.520 ms 18.453 ms 18.359 ms 17 146.142.7.142 (146.142.7.142) 21.138 ms 21.098 ms 19.436 ms 18 146.142.7.93 (146.142.7.93) 43.152 ms 43.061 ms 43.062 ms 19 146.142.7.66 (146.142.7.66) 133.226 ms 133.169 ms 133.147 ms 20 146.142.7.112 (146.142.7.112) 130.701 ms 130.606 ms 130.737 ms 21 * * * 22 146.142.7.68 (146.142.7.68) 135.039 ms 134.986 ms 134.897 ms 23 146.142.7.132 (146.142.7.132) 127.341 ms 127.256 ms 127.221 ms 24 146.142.7.87 (146.142.7.87) 126.358 ms * * 25 146.142.7.113 (146.142.7.113) 154.693 ms 156.353 ms 156.385 ms That's one convoluted route to stay in the same /24! I'd have a chat with your network admins and see what's up--this doesn't look normal. Question for you: how'd you uncover the issue? Do any DNS records point to 146.142.7.113? There's no reverse record for it that I can see. John On Sat, Sep 17, 2016 at 11:51 AM, Bhangui, Sandeep - BLS CTR <bhangui.sand...@bls.gov<mailto:bhangui.sand...@bls.gov>> wrote: > Hi > > Not exactly sure whether this is a DNS issue but hoping someone here on this > forum can provide some advice/suggestion as I am trying to figure out what is > going on. > > Our organization BLS owns ( registered with the registrar ) the network > address 146.142.xxx.xxx. > > But if someone from the Internet [ outside of BLS network ) tries to go to > "http://146.142.7.113"; it gets redirected to a site in UK called > "us.watcheezy.com" > > I have checked the DNS from the BLS side and we do not have any entry of > any kind for the record 146.142.7.113 on our DNS. > > I have also done DNS lookups for watcheezy.com and those seem to be good too > with respect to IP and the NS and as to what those NS are reporting. > > Can anyone throw some light on as to what is going on here.....does not look > like a DNS issue to me but I could be wrong. > > Thanks > Sandeep _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
