<div>I used to see something much like this when I hosted secondary dns for <a href="http://arpa.org.au">arpa.org.au</a>. Had to ask the client to find alternate hosting, as I was seeing a fairly constant 2-3mbps of requests against various *.<a href="http://168.192.in-addr.arpa.org.au">168.192.in-addr.arpa.org.au</a> addresses from a large swathe of Melbourne based ip's.</div><div><br></div><div><br><div class="gmail_quote"><div>On Thu, 1 Jun 2017 at 3:35 pm, Benjamin Ricardo <<a href="mailto:ben.ricardo@acs.net.au">ben.ricardo@acs.net.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-AU" link="#0563C1" vlink="#954F72">
<div class="m_8457298359783472490WordSection1">
<p class="MsoNormal">HI All,<u></u><u></u></p>
<p class="MsoNormal">Looking for thoughts on something that we uncovered today in the wild (heard about it years ago but never seen it) regarding internal company domains that are using public .com.au domain suffixes and whether there’s something that should
be done here.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">The issue is caused by Microsofts Primary DNSSuffix Devolution and the potential for legitimate traffic to be redirected to the owner of the domain “com.com.au.” if your machine has a domain name of “<a href="http://somehostname.somedomainname.com.au" target="_blank">somehostname.somedomainname.com.au</a>”<u></u><u></u></p>
<p class="MsoNormal">It is possible in this situation for a non-qualified query to do the following:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><a href="http://ibm.com.somehostname.somedomainname.com.au" target="_blank">ibm.com.somehostname.somedomainname.com.au</a> (NXDOMAIN)<u></u><u></u></p>
<p class="MsoNormal"><a href="http://ibm.com.somedomainname.com.au" target="_blank">ibm.com.somedomainname.com.au</a> (NXDOMAIN)<u></u><u></u></p>
<p class="MsoNormal"><a href="http://ibm.com.com.au" target="_blank">ibm.com.com.au</a> (NOERROR)<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">You can see the vulnerability.<u></u><u></u></p>
<p class="MsoNormal">The problem is now that it appears that the owner of the domain “<a href="http://com.com.au" target="_blank">com.com.au</a>” has started to register A records for big name domains such as .<a href="http://ibm.com" target="_blank">ibm.com</a> in the hope of catching non-fully qualified queries to these addresses.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I can only think that this is going to end badly for people.<u></u><u></u></p>
<p class="MsoNormal">Is this the sort of thing that could be flagged as abuse?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Appreciate any comments.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Ben<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div></div><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><div dir="ltr">
<p>Damien Gardner Jnr<br>VK2TDG. Dip EE. GradIEAust<br><a href="mailto:rendrag@rendrag.net" target="_blank">rendrag@rendrag.net</a> - <span><a href="http://www.rendrag.net/" target="_blank">http://www.rendrag.net/</a><u><br></u></span>--<br>We rode on the winds of the rising storm,<br> We ran to the sounds of thunder.<br>We danced among the lightning bolts,<br> and tore the world asunder</p></div></div>