An odd pattern of DNS failures began appearing in the logs yesterday: May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != ns5.uzmores.com) May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != ns4.uzmores.com) May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != ns3.uzmores.com) May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != ns2.uzmores.com) May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != ns13.uzmores.com) ... May 20 11:10:00 PDT named[345]: wrong ans. name (loptran.com != ns8.loptran.com) May 20 11:10:00 PDT named[345]: wrong ans. name (loptran.com != ns7.loptran.com) May 20 11:10:00 PDT named[345]: wrong ans. name (loptran.com != ns6.loptran.com) May 20 11:10:00 PDT named[345]: wrong ans. name (loptran.com != ns4.loptran.com) May 20 11:10:00 PDT named[345]: wrong ans. name (loptran.com != ns2.loptran.com) ... May 20 10:12:25 PDT named[345]: wrong ans. name (dsinlet.com != ns7.dsinlet.com) May 20 10:12:25 PDT named[345]: wrong ans. name (dsinlet.com != ns5.dsinlet.com) May 20 10:12:25 PDT named[345]: wrong ans. name (dsinlet.com != ns9.dsinlet.com) May 20 10:12:25 PDT named[345]: wrong ans. name (dsinlet.com != ns12.dsinlet.com) May 20 10:12:25 PDT named[345]: wrong ans. name (dsinlet.com != ns3.dsinlet.com) ... (All multiplied by a factor of 10) Very odd to see a dozen nameservers for several new and obscure domains. Does this look like a rat? The apparently misconfigured domains are served by a single registrar, estdomains.com. (whois -h whois.estdomains.com ..., Registration Service Provided By: N/A, Contact: +876.784848888). Certainly smells like a rat. Most of the individual nameservers do not answer queries, the ones that do are open to recursion, and all are hosted in cable/dsl/dial-up address space with correspondingly rfc-illegal reverse zones. Running 'host -at ns' a few times shows the list of nameservers is rotated every few seconds, and occasionally returns "server localhost". Obviously a rat, but the pattern brings up a number of questions. Are these spoofed queries and replies? If not, have any root nameservers been hacked? Do the queries exploit known named vulnerabilities? What ICANN policy might address this? Finally, what, if anything, are DNS admins doing about it? -- Roger Marquis Roble Systems Consulting http://www.roble.com/