Le mar. 19 nov. 2019 à 16:36, Marshall, Quincy <Quincy.Marshall@reged.com> a écrit :
I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2 23.202.231.167 23.217.138.108
It depends of the server you're hitting:
From AS3215 (.fr) $ dig +short w3.dummydomaindoesntexist.org @4.2.2.2 23.217.138.108 23.202.231.167
$ dig +short caseraitvraimentconquilexiste.org @4.2.2.2 23.217.138.108 23.202.231.167 $ dig +short hostname.bind txt ch @4.2.2.2 "pubntp1.lon1.Level3.net"
From AS16276 (.ca): $ dig w3.dummydomaindoesntexist.org @4.2.2.2 ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34998 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
$ dig +short hostname.bind txt ch @4.2.2.2 "cns4.nyc1.Level3.net"