Wow, news to me, and it's worse than you thought.  They're spoofing responses for ALL non-existent domains, not just those starting with a "w":

langsam:~# whois unregistereddomaintest.com | head -1
No match for "UNREGISTEREDDOMAINTEST.COM".

langsam:~# dig +short a unregistereddomaintest.com @4.2.2.2
23.202.231.167
23.217.138.108

langsam:~# dig +short a unregistereddomaintest.mil @4.2.2.2
23.202.231.167
23.217.138.108

I can't get an NXDOMAIN result from 4.2.2.2 at all.

Good to know.  Time to reconfigure 10,000 firewalls.

Thank you Lawrence.

- Cary Wiedemann

On Tue, Nov 19, 2019 at 10:35 AM Marshall, Quincy <Quincy.Marshall@reged.com> wrote:

This is mostly informational and may have already hit this group. My google-foo failed me if so.

 

I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.

 

[root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2

23.202.231.167

23.217.138.108

[root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2

23.202.231.167

23.217.138.108

[root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2

23.202.231.167

23.217.138.108

[root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2

23.202.231.167

23.217.138.108

 

My apologies if this is old news.

 

Lawrence Q. Marshall

 




This email has been scanned for email related threats and delivered safely by Mimecast.
For more information please visit http://www.mimecast.com