Ah, the good old bad old days. :-) On Tue, 20 Nov 2012, Feng He wrote: > > ;; ANSWER SECTION: > > geocast.net. 735 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM. > > geocast.net. 735 IN MX 20 ASPMX2.GOOGLEMAIL.COM. > > geocast.net. 735 IN MX 5 ASPMX.L.GOOGLE.COM. > > geocast.net. 735 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM. > > > > ;; ADDITIONAL SECTION: > > ASPMX.L.GOOGLE.COM. 2626 IN A 1.2.3.4 > > ALT1.ASPMX.L.GOOGLE.COM. 2626 IN A 5.6.7.8 > > ALT2.ASPMX.L.GOOGLE.COM. 2626 IN A 1.2.3.4 > > ASPMX2.GOOGLEMAIL.COM. 2626 IN A 5.6.7.8 > > As shown above google's addresses can be faked. > How will a local DNS server prevent this hijack DNS records?
I believe that appropriately paranoid (you're not paranoid if they really are out to get you) nameserver implementations these days won't use what's in the additional section here because it's out of bailiwick. Are you using some specific resolver which does? -- Fred Morris _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
