<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="#0563C1" vlink="#954F72">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p>Hi Ben,</p>
<p><br>
</p>
<p>I think you will find that they have a wildcard resolver, as I have come across this exact issue (using NSLOOKUP on later windows clients) where it automatically appends .com.au to some queries</p>
<p><br>
</p>
<p>This has resulted in erroneous a records being returned in some cases.</p>
<p><br>
</p>
<p>whoever has .com.com.au will resolve any name - try going to a website ie random.com.com.au<br>
</p>
<p><br>
</p>
<p>Cheers<br>
</p>
<div id="Signature">
<div id="divtagdefaultwrapper" style="color: rgb(0, 0, 0); font-family: Calibri,Arial,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols; font-size: 12pt;" dir="ltr">
<p><span style="font-size:9.0pt; font-family:"Verdana",sans-serif; color:#00255D"></span><span style="font-size:9.0pt; font-family:"Verdana",sans-serif; color:#00255D">Glenn Lake<br>
</span><br>
</p>
<p></p>
</div>
</div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> AusNOG <ausnog-bounces@lists.ausnog.net> on behalf of Benjamin Ricardo <ben.ricardo@acs.net.au><br>
<b>Sent:</b> Thursday, 1 June 2017 3:35:35 PM<br>
<b>To:</b> 'Ausnog'<br>
<b>Subject:</b> [AusNOG] DNS Devolution targeting the .com.au space - should we be worried?</font>
<div> </div>
</div>
<div>
<div class="WordSection1">
<p class="MsoNormal">HI All,<o:p></o:p></p>
<p class="MsoNormal">Looking for thoughts on something that we uncovered today in the wild (heard about it years ago but never seen it) regarding internal company domains that are using public .com.au domain suffixes and whether there’s something that should
be done here.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The issue is caused by Microsofts Primary DNSSuffix Devolution and the potential for legitimate traffic to be redirected to the owner of the domain “com.com.au.” if your machine has a domain name of “somehostname.somedomainname.com.au”<o:p></o:p></p>
<p class="MsoNormal">It is possible in this situation for a non-qualified query to do the following:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">ibm.com.somehostname.somedomainname.com.au (NXDOMAIN)<o:p></o:p></p>
<p class="MsoNormal">ibm.com.somedomainname.com.au (NXDOMAIN)<o:p></o:p></p>
<p class="MsoNormal">ibm.com.com.au (NOERROR)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">You can see the vulnerability.<o:p></o:p></p>
<p class="MsoNormal">The problem is now that it appears that the owner of the domain “com.com.au” has started to register A records for big name domains such as .ibm.com in the hope of catching non-fully qualified queries to these addresses.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I can only think that this is going to end badly for people.<o:p></o:p></p>
<p class="MsoNormal">Is this the sort of thing that could be flagged as abuse?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Appreciate any comments.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ben<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<hr size="1">
Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.<br>
<a href="http://www.mailguard.com.au">http://www.mailguard.com.au</a><br>
<br>
<a href="https://console.mailguard.com.au/ras/1QYscBz5PO/10Qg4UEMqMwuSPM3jBMN48/9.1">Report this message as spam</a><!-- MailGuard Message ID: 592fa7d8aa4358 - use this number for reporting --> <br>
<br>
</div>
</body>
</html>