Re: [dns-operations] Is this a DNS pollution?

Wed, 24 Jul 2024 15:51:52 -0700

--- Begin Message --- 
On 2024-07-25 01:05, Dave Lawrence wrote:

Do the question in the subject, we really can't tell whether it was
"DNS pollution" or not.  Maybe?

It's not what either the daum.net servers nor the resolver that you
used (208.67.222.222, Cisco's Umbrella as you mentioned) are currently
responding.


Thanks for your answer. so who is responding me?



Currently they are responding with a CNAME for smtp.  I didn't look
into imap.daum.net but the basic tools and inability to discern intent
are the same.

smtp.daum.net. 300 IN CNAME dmail-skadi-relay-zn9pju8w.kgns1.com.

The address record that target returns is:

dmail-skadi-relay-zn9pju8w.kgns1.com. 10 IN A   211.249.250.28

That address is currently showing in whois as held by Dreamline Co in
Korea, and the domain kgns1.com is held by Kakao Corp, the same as
daum.net, with both showing they apparently get services from
"Megazone Corp., dba HOSTING.KR" in Korea, likely affiliated with
Dreamline somehow.

The one of your original message, 157.240.8.41, was an IP allocated to
Facebook.  It's reverse agrees with that:
41.8.240.157.in-addr.arpa. 3600 IN PTR cmon-checkout-edge-shv-01-syd2.facebook.com. 

That's definitely a bit odd to me, but not immediately damning as
being nefarious.  Was this all normal operations for daum?  Was it
cache poisoning?  Was it an operational error? We can't say. You'd
really have to talk to Kakao about it.
Here is the dig from my home pc (for this time. every time it seems changing). 

$ dig +nocmd smtp.daum.net +noall +answer
smtp.daum.net.          177     IN      A       31.13.70.9
$ dig +nocmd imap.daum.net +noall +answer
imap.daum.net.          65      IN      A       199.96.59.95

And here is the dig from a remote VPS and the right results returned.

mx:~$ dig +nocmd smtp.daum.net +noall +answer
smtp.daum.net.          300     IN      CNAME   
dmail-skadi-relay-zn9pju8w.kgns1.com.
dmail-skadi-relay-zn9pju8w.kgns1.com. 9 IN A    211.249.250.28

mx:~$ dig +nocmd imap.daum.net +noall +answer
imap.daum.net.          396     IN      A       203.217.227.162
imap.daum.net.          396     IN      A       113.29.187.15
imap.daum.net.          396     IN      A       113.29.187.16
imap.daum.net.          396     IN      A       203.217.227.161

So, I doubt my home DNS was hijacked.

--
regards,
Jeff Pang

--- End Message ---
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Reply via email to