Wow, news to me, and it's worse than you thought. They're spoofing responses for ALL non-existent domains, not just those starting with a "w": langsam:~# whois unregistereddomaintest.com | head -1 No match for "UNREGISTEREDDOMAINTEST.COM". langsam:~# dig +short a unregistereddomaintest.com @4.2.2.2 23.202.231.167 23.217.138.108 langsam:~# dig +short a unregistereddomaintest.mil @4.2.2.2 23.202.231.167 23.217.138.108 I can't get an NXDOMAIN result from 4.2.2.2 at all. Good to know. Time to reconfigure 10,000 firewalls. Thank you Lawrence. - Cary Wiedemann On Tue, Nov 19, 2019 at 10:35 AM Marshall, Quincy <Quincy.Marshall@reged.com> wrote:
This is mostly informational and may have already hit this group. My google-foo failed me if so.
I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
23.202.231.167
23.217.138.108
My apologies if this is old news.
*Lawrence Q. Marshall*
------------------------------ This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com ------------------------------