On 11/18/19 12:45, Marshall, Quincy wrote:
This is mostly informational and may have already hit this group. My google-foo failed me if so.
I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are spoofing all domains. If the hostname begins with a “w” and does not exist in the authoritative zone these hosts will return two Akamai hosts.
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
23.202.231.167
23.217.138.108
My apologies if this is old news.
*Lawrence Q. Marshall*
Yep, old news. :) It's their "SearchGuide(TM)" nonsense. You can opt out, but as of about 1.5? months ago it's almost impossible to because the applet was serving a 500, and now it just refuses to work *despite* serving a 200. And it's flaky as all else - when the applet goes down, the resolvers take the ...aherm, "liberty" of automatically enabling SearchGuide during the outage. You can either attempt it via going to e.g.: http://searchguide.level3.com/search/?q=foo and clicking the "Settings" link in the upper right. If you get "There was a problem retrieving your settings from the server. Please try your request again later.", then congrats! You won the prize of not being able to change the redirect. Alternatively, you can TRY running something like this: https://pastebin.com/zktqqCxU but AGAIN, it depends on that endpoint actually being *accessible*. Which it increasingly is not. I've moved on from level3 for resolvers; their reliability's been declining but this nonsense just tanked them for me. Lately I've been using Verisign's resolvers (64.6.64.6 and 64.6.65.6) for upstream on my cachers, and I've been pretty pleased with it. They seem to express a focus on privacy, which is nice, but most importantly- records seem to get through unmolested, NXDOMAINs and all. Just as it should be. ;)