Mailing List Archive: Charter DNS servers returning invalid IP addresses

Charter DNS servers returning invalid IP addresses

Oct 25, 2023, 10:50 AM

Post #1 of 12 (222 views)

I've been working for a week or so to solve a problem with DNS
resolution for Charter customers for our domain bonesinjars.com. I've
reached-out to Charter directly but since I'm not a customer I couldn't
get any help from them. I was directed by a friend to this list in
hopes that there may be able to reach a Charter/Spectrum engineer who
might be able to explain and/or resolve this one.

A dig against Google's DNS servers correctly returns 4 A records:

dig bonesinjars.com 8.8.8.8

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> bonesinjars.com 8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31383
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;bonesinjars.com. IN A

;; ANSWER SECTION:
bonesinjars.com. 60 IN A 198.49.23.145
bonesinjars.com. 60 IN A 198.185.159.145
bonesinjars.com. 60 IN A 198.49.23.144
bonesinjars.com. 60 IN A 198.185.159.144

;; Query time: 1039 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Oct 23 10:26:32 CDT 2023
;; MSG SIZE rcvd: 108

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26879
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;8.8.8.8. IN A

;; Query time: 35 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Oct 23 10:26:32 CDT 2023
;; MSG SIZE rcvd: 36

Verizon, AT&T, Comcast and all other DNS servers we tested return the
same 4 A records. However the same dig against a Charter DNS
(24.196.64.53) returns only 127.0.0.54:

dig bonesinjars.com 24.196.64.53

; <<>> DiG 9.16.1-Ubuntu <<>> bonesinjars.com 24.196.64.53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17691
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;bonesinjars.com. IN A

;; ANSWER SECTION:
bonesinjars.com. 60 IN A 127.0.0.54

;; Query time: 55 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Oct 24 13:28:36 CDT 2023
;; MSG SIZE rcvd: 60

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4658
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;24.196.64.53. IN A

;; ANSWER SECTION:
24.196.64.53. 86400 IN A 24.196.64.53

;; Query time: 27 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Oct 24 13:28:36 CDT 2023
;; MSG SIZE rcvd: 57

Any help understanding and addressing this is greatly appreciated!

Jason

Re: Charter DNS servers returning invalid IP addresses [ In reply to ]

marka at isc

Oct 25, 2023, 11:26 AM

Post #2 of 12 (222 views)

Permalink

It’s being filtered. Only Charter can tell you why.

--
Mark Andrews

> On 26 Oct 2023, at 05:07, Jason J. Gullickson via NANOG <nanog@nanog.org> wrote:
>
> ?
> I've been working for a week or so to solve a problem with DNS resolution for Charter customers for our domain bonesinjars.com. I've reached-out to Charter directly but since I'm not a customer I couldn't get any help from them. I was directed by a friend to this list in hopes that there may be able to reach a Charter/Spectrum engineer who might be able to explain and/or resolve this one.
>
> A dig against Google's DNS servers correctly returns 4 A records:
>
>
> dig bonesinjars.com 8.8.8.8
>
> ; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> bonesinjars.com 8.8.8.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31383
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 65494
> ;; QUESTION SECTION:
> ;bonesinjars.com. IN A
>
> ;; ANSWER SECTION:
> bonesinjars.com. 60 IN A 198.49.23.145
> bonesinjars.com. 60 IN A 198.185.159.145
> bonesinjars.com. 60 IN A 198.49.23.144
> bonesinjars.com. 60 IN A 198.185.159.144
>
> ;; Query time: 1039 msec
> ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
> ;; WHEN: Mon Oct 23 10:26:32 CDT 2023
> ;; MSG SIZE rcvd: 108
>
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26879
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 65494
> ;; QUESTION SECTION:
> ;8.8.8.8. IN A
>
> ;; Query time: 35 msec
> ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
> ;; WHEN: Mon Oct 23 10:26:32 CDT 2023
> ;; MSG SIZE rcvd: 36
>
>
>
> Verizon, AT&T, Comcast and all other DNS servers we tested return the same 4 A records. However the same dig against a Charter DNS (24.196.64.53) returns only 127.0.0.54:
>
>
>
> dig bonesinjars.com 24.196.64.53
>
> ; <<>> DiG 9.16.1-Ubuntu <<>> bonesinjars.com 24.196.64.53
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17691
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 65494
> ;; QUESTION SECTION:
> ;bonesinjars.com. IN A
>
> ;; ANSWER SECTION:
> bonesinjars.com. 60 IN A 127.0.0.54
>
> ;; Query time: 55 msec
> ;; SERVER: 127.0.0.53#53(127.0.0.53)
> ;; WHEN: Tue Oct 24 13:28:36 CDT 2023
> ;; MSG SIZE rcvd: 60
>
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4658
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 65494
> ;; QUESTION SECTION:
> ;24.196.64.53. IN A
>
> ;; ANSWER SECTION:
> 24.196.64.53. 86400 IN A 24.196.64.53
>
> ;; Query time: 27 msec
> ;; SERVER: 127.0.0.53#53(127.0.0.53)
> ;; WHEN: Tue Oct 24 13:28:36 CDT 2023
> ;; MSG SIZE rcvd: 57
>
>
>
> Any help understanding and addressing this is greatly appreciated!
>
>
>
> Jason

RE: Charter DNS servers returning invalid IP addresses [ In reply to ]

Greg.Dickinson at bryantbank

Oct 25, 2023, 11:41 AM

Post #3 of 12 (222 views)

Permalink

Re: Charter DNS servers returning invalid IP addresses [ In reply to ]

nanog at nanog

Oct 25, 2023, 12:16 PM

Post #4 of 12 (221 views)

Permalink

That does help Greg.

I've heard from a few other folks on the list that the domain is
considered suspicious by a few different providers like this. It's a
turnkey Squarespace gallery/ecommerce site so I'm not sure why it would
be classified as a threat, but perhaps a previous domain holder was
doing something that could have been and these reports are just
outdated?

- Jason

On 2023-10-25 1:41 pm, Greg Dickinson wrote:

> If it helps troubleshooting, when I click the domain in the email
> Mimecast tells me:
>
> "We checked the website you are trying to access for malicious and
> spear-phishing content and found it likely to be unsafe."
>
> Greg Dickinson, CCNA
>
> Network Engineer
>
> From: NANOG <nanog-bounces+greg.dickinson=bryantbank.com@nanog.org> On
> Behalf Of Mark Andrews
> Sent: Wednesday, October 25, 2023 1:27 PM
> To: Jason J. Gullickson <mr@jasongullickson.com>
> Cc: nanog@nanog.org
> Subject: Re: Charter DNS servers returning invalid IP addresses
>
> This Message originates from outside Bryant Bank. Please use caution
> when opening this correspondence, attachments or hyperlinks (URLs). If
> you have questions, please contact IT Support. Thank you.
>
> It's being filtered. Only Charter can tell you why.
>
> --
>
> Mark Andrews
>
>> On 26 Oct 2023, at 05:07, Jason J. Gullickson via NANOG
>> <nanog@nanog.org> wrote:
>
>> I've been working for a week or so to solve a problem with DNS
>> resolution for Charter customers for our domain bonesinjars.com [1].
>> I've reached-out to Charter directly but since I'm not a customer I
>> couldn't get any help from them. I was directed by a friend to this
>> list in hopes that there may be able to reach a Charter/Spectrum
>> engineer who might be able to explain and/or resolve this one.
>>
>> A dig against Google's DNS servers correctly returns 4 A records:
>>
>> dig bonesinjars.com [1] 8.8.8.8 [2]
>>
>> ; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> bonesinjars.com [1]
>> 8.8.8.8 [2]
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31383
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 65494
>> ;; QUESTION SECTION:
>> ;bonesinjars.com [1]. IN A
>>
>> ;; ANSWER SECTION:
>> bonesinjars.com [1]. 60 IN A 198.49.23.145 [3]
>> bonesinjars.com [1]. 60 IN A 198.185.159.145
>> [4]
>> bonesinjars.com [1]. 60 IN A 198.49.23.144 [5]
>> bonesinjars.com [1]. 60 IN A 198.185.159.144
>> [6]
>>
>> ;; Query time: 1039 msec
>> ;; SERVER: 127.0.0.53#53(127.0.0.53) [7] (UDP)
>> ;; WHEN: Mon Oct 23 10:26:32 CDT 2023
>> ;; MSG SIZE rcvd: 108
>>
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26879
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 65494
>> ;; QUESTION SECTION:
>> ;8.8.8.8 [2]. IN A
>>
>> ;; Query time: 35 msec
>> ;; SERVER: 127.0.0.53#53(127.0.0.53) [7] (UDP)
>> ;; WHEN: Mon Oct 23 10:26:32 CDT 2023
>> ;; MSG SIZE rcvd: 36
>>
>> Verizon, AT&T, Comcast and all other DNS servers we tested return the
>> same 4 A records. However the same dig against a Charter DNS
>> (24.196.64.53 [8]) returns only 127.0.0.54 [9]
>>
>> dig bonesinjars.com [1] 24.196.64.53 [8]
>>
>> ; <<>> DiG 9.16.1-Ubuntu <<>> bonesinjars.com [1] 24.196.64.53 [8]
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17691
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 65494
>> ;; QUESTION SECTION:
>> ;bonesinjars.com [1]. IN A
>>
>> ;; ANSWER SECTION:
>> bonesinjars.com [1]. 60 IN A 127.0.0.54 [9]
>>
>> ;; Query time: 55 msec
>> ;; SERVER: 127.0.0.53#53(127.0.0.53) [7]
>> ;; WHEN: Tue Oct 24 13:28:36 CDT 2023
>> ;; MSG SIZE rcvd: 60
>>
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4658
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 65494
>> ;; QUESTION SECTION:
>> ;24.196.64.53 [8]. IN A
>>
>> ;; ANSWER SECTION:
>> 24.196.64.53 [8]. 86400 IN A 24.196.64.53 [8]
>>
>> ;; Query time: 27 msec
>> ;; SERVER: 127.0.0.53#53(127.0.0.53) [7]
>> ;; WHEN: Tue Oct 24 13:28:36 CDT 2023
>> ;; MSG SIZE rcvd: 57
>>
>> Any help understanding and addressing this is greatly appreciated!
>>
>> Jason
>
> NOTICE: This electronic mail message and any files transmitted with it
> are intended exclusively for the individual or entity to which it is
> addressed. The message, together with any attachment, may contain
> confidential and/or privileged information. Any unauthorized review,
> use, print, save, copy, disclosure or distribution is strictly
> prohibited. If you have received this message in error, please
> immediately advise the sender by reply email and delete copies. Thank
> you.

Links:
------
[1]
https://secure-web.cisco.com/1QYzTVngb5oZ1KLAZyMPvb_h9plEnlxSg987WNlsBgaLug2z-wCDx1wrGIgQQEYsHUdgOcjhswf6mSTPbxkpx_PSBYcpJqL3ro-v_aACZlNSMkqb3exaatMssNXfmJgrveUz-UxuXL2M6AawZ3YEd2vM7Kn-1B-sSpAmZc-6V7EyX6S7ooOf7RD6nlw33qjyxRPUak-lV6-AnanVZZWHYe0Ijj2I8HL4AXQguBAmbNk0MbHeyA8Ga1AuXMgXyQit9G2GXOjM0MvxVStf6Mv8skAFEdXbUFd_oPIdEKAMTJTlEuw2TG-foZB4ZVBC4mckU/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2FSJmKC8XrW7CjJ2MFn0cqx%3Fdomain%3Dbonesinjars.com
[2]
https://secure-web.cisco.com/1imxdVmCYKyqq5wulvqemEVFHic8KD5Xk1Q4EqDP-l4FLBVdWJDIOSKp41SSdsFISBJV1TPTQY179COdaURZsSkdbtkyBBd44NKV3A0JKV3nzk3_LnalsOhuow7MuiyMbecMAup_h6gGYQ4SOepC2sVtx0EZqiF9AQ5wSSa_LXF_9b5yF7LShmlxRpl1VJAFF3lgjvglh119EKQGIlesw0u9fm6-P0xxB3-KWORmNACLchQhN4VOX4fAZrs0JD8uwyA61yG4PnOfBkCXk_vhDRTDWMd0ImD5Yq0jq0PIfmYKq9xjitIMY22qJtE1rSgAr/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2FBzURC93vG7smZlKfEbQ7C%3Fdomain%3D8.8.8.8
[3]
https://secure-web.cisco.com/1QeSRq_up-pqhHIDl6xF_GqRzLweZJXtuPVjonTJoPahw1QlkpOrVB8YIHlYjNNDOCI4OBkPM-SvRKLvMALQ5_dz44XUtxiLiofA9CXx6d1wodHFpc6AnxdaSeJOZx7mAb-_rkGKan8YM2P0y7k_U4Mz5qf9CKuXi_PaAWlKcoVvds50HiNKqYDV_FB418o77CzHZuKAuNvs8Mmxs8WDai5fC-gwdeBDcLD0SL86Br932u8IJRH-841O2eUDO470EfM-0dsPH1MWiQ0KJW5yMhgW3P34mf1eAvh-2cgaDQTzZA74Lkm-6Tzc8oZtY5p2M/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2Fx_RWC0AjEyt2E7Wf2GpkC%3Fdomain%3D198.49.23.145
[4]
https://secure-web.cisco.com/1O5fWfiQWb4UoojSFAKsG6sZg-r7ZoEBLPCb-nUjBFPD_pxRVOi8oMmCRW-Mfcz9eSl76mY5nxexbCbHEJxOZvBJdlGhyxITjNRyVwiUsKZmfQKmrj4_HVkftE8bLQ5-XGKIAAIQ-wZsERIw0xspD1uLkvZFTA0NyDUlJSn1MBUs4VQFz0ukRM6IMkmAyYPjKXSa2gGSZLQzI524esQl_DlmJqxzpdC9ZYxHCjdeM50AFZqw7DBzzkeP_pLYbfhHRbuOWZZdxBP8F2ODIOCZznN3fV3F6pY9kc8I-LWi4BBv-_wiRqTAlvOADiCI5wJ7B/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2F8h5WCg7W8VUlgoWt3OlY4%3Fdomain%3D198.185.159.145
[5]
https://secure-web.cisco.com/1Gksy1SWwjLAq6x2FUfJ0MAAMBhgV-1-7Zc08k_Cg-Z8MCVm7dbTMrlPLD-TQlaWePQOE7GbeTaTraAeiJCc0d4iu33sZj9mL84SiBCIe8q2me5c3yyVFo7yPWu-dLXsPQHD4OgVp7ng69L5TVvKkDhbD6wqk7kHAPv5qlkXEUptlKY0v1HShhevQ7lKgaPCj2rWW4Q-7Qqg8UM0lK9kWT-YWh98oCXOXBiTDHcqisVo9PMIqBFWgt4bCM8NgzzlhU9OiGZ8AXEYmhGO1y8VT_xjBGkoB7UffPWRP2LLewWwJWp7ThPNOC3r9Frl2aeDG/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2F9hSMCjAW5Vtj6BJF1fcXc%3Fdomain%3D198.49.23.144
[6]
https://secure-web.cisco.com/1Vr7XwiMhFeLf9cMeTNX15HD8WHYJL270KD2MioSlgRG1OZOTdHztceZS105N0_tgssZ8_mT0KbAZmCjzFztSvClt49arHyaj_dR_uRaCDMbO2_JFF9kUU38SacbWlgJCOGv0A6XZv5WFrKwXAJOfyBbPAwuaSqPxJ_zi3bGpeXbNN5C67tArrBmUxBPI-M5igsmueF5dScQYJnPi906IXIKD-wPHhlDvp4ig06GAosRHtSBm_vA4nb_Wy4dzih_hcQQrhSCAOI37Kmf5ybVjmVOBjMIPEZRukzd06KsDopfCBQ0JOY7N56dWc5ChjRlX/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2FXcRmCk6WBVinLK0s8VH6O%3Fdomain%3D198.185.159.144
[7]
https://secure-web.cisco.com/1oHf3Mm9qxwW_PH8S4pY1BmQR998AjECHdJ2k33Ke6Rw8OcQ1cnLtUG3Rh7_IZGrOStkwz_f9VeOOtZRLD81WxqmbutZu-3YfjCyvlSfRZ9t8K9yKoMSBY4teD1ch1oyg4pRf9NCTVGeUaXblF7EnqpSi2eDXbJwpDEy6diF1quyWUiAbBd8fsIK5uQpWvA7lcoHrgaE0osMAvqfUHwWF-ZkT8h0xgFNhXkAOWtIAo7n8D1YfkE4I_mSpZIspC4oiijILP15PzjChrZkfJhLwEMgj8swiPbxexelmdJ_9aAx3XVU-659YjPXKGSQfTfMj/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2FPCwtCl8WXVfo9VKSV4pXj%3Fdomain%3D127.0.0.53
[8]
https://secure-web.cisco.com/1MWCKSLA6JNuYXb1c5Hf_dGEOanOe-z4Ba3wu58c8y7ovolaWkmwgvw1y9VINW7E-iYrioRIunmH6rcdi1nR4jAaJxKhhVY3K2-iJohl16QTQxP6-bQZ9gUaKK1BKqhHU3xa7PuPKH9fV1_-Xt0utZMnJBId5JNn41g-ReHQbQoUubYws92XudwEvClcRLPPrTu3n45B9PktjiHUzSV4vUo0B3SDfIY2PhXbxESWX9a4b7pLE9UNg3I6ioAMjtRhEJCLo3Qb50WzzWx8rZrb3g0z3a6pbD6bFPGsHj1tMsqL8zX4GMjDVpsCTvuHt3Wgd/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2FCTLTCm7W8VU50gYi3olZq%3Fdomain%3D24.196.64.53
[9]
https://secure-web.cisco.com/1fh0FafrN8nhI9wEWZaByw3sg2sf9Kz5Vk5p1BkCmxRU0aH9nIP51uLT6nXBLl1eyTKVKJ0ChA32iQrcFPxySd9YaQhCef4LLlwHJNmnpEBLJmcdirIsMRcrjRpvdz4Ow0CWpwXX-IS_k0xC3NYU7wqVTCpd6x7xOUh3VLNqSRLsLh3KtenzYnclWWghbPuv4LdXQrw4TWQYywXzorXtnydTAvmJilo-OkuCFD7Vdu-j19hEcGFviQpjNUIoHSkeCzEWNjg_cAD_UtmfpzigPZNpNdiegWHssQkSoSkFIOnMHrqiQAQRyz54FBSTKWcCv/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2F7qHPCnGW7VTGyPLCvdGr6%3Fdomain%3D127.0.0.54

Re: Charter DNS servers returning invalid IP addresses [ In reply to ]

Bryan at bryanfields

Oct 25, 2023, 12:51 PM

Post #5 of 12 (221 views)

Permalink

On 10/25/23 2:41 PM, Greg Dickinson wrote:
> If it helps troubleshooting, when I click the domain in the email Mimecast
> tells me:
>
> “We checked the website you are trying to access for malicious and
> spear-phishing content and found it likely to be unsafe.”

I saw nothing referencing Mimecast in the original email. Where did you see this?

bonesinjars.com is not signed with DNSSEC. This is trivial to setup and might
prevent some of this.

Probably not a good idea for your customers to rely on $BIGCABLE DNS servers.
--
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net

Charter DNS servers returning invalid IP addresses [ In reply to ]

abscoco at gmail

Oct 25, 2023, 4:37 PM

Post #6 of 12 (220 views)

Permalink

Dear NANOG-er,

Hope this email finds you in good health!

Please see my comments below, inline...

Thanks,

Le 25/10/2023 à 18:50, Jason J. Gullickson via NANOG a écrit :
>
> I've been working for a week or so to solve a problem with DNS
> resolution for Charter customers for our domain bonesinjars.com. I've
> reached-out to Charter directly but since I'm not a customer I
> couldn't get any help from them. I was directed by a friend to this
> list in hopes that there may be able to reach a Charter/Spectrum
> engineer who might be able to explain and/or resolve this one.
>
> A dig against Google's DNS servers correctly returns 4 A records:
>
>
> dig bonesinjars.com 8.8.8.8
>

...instead of the above, you could try the following command:

`dig bonesinjars.com. @9.9.9.9 +nsid +edns=0 +all +short`

Please, do note the sign `@` and the trailing dot `.`

>
> [...]
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26879
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 65494
> ;; QUESTION SECTION:
> ;8.8.8.8. IN A
>

...this is unexpected! given what you said.

>
> ;; Query time: 35 msec
> ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
> ;; WHEN: Mon Oct 23 10:26:32 CDT 2023
> ;; MSG SIZE rcvd: 36
>
>
> Verizon, AT&T, Comcast and all other DNS servers we tested return the
> same 4 A records. However the same dig against a Charter DNS
> (24.196.64.53) returns only 127.0.0.54:
>
>
> dig bonesinjars.com 24.196.64.53
>
>

`dig cmnog.cm. @24.196.64.53 +nsid +edns=0 +all`

or

dig cmnog.cm. @`dig -x 24.196.64.53 +short` +nsid +edns=0 +all

> ; <<>> DiG 9.16.1-Ubuntu <<>> bonesinjars.com 24.196.64.53
> [...]
> ;; QUESTION SECTION:
> ;bonesinjars.com. IN A
>
> ;; ANSWER SECTION:
> bonesinjars.com. 60 IN A 127.0.0.54
>
> [...]
>
> ;; QUESTION SECTION:
> ;24.196.64.53. IN A
>
>

...it's not what you wanted to test!
`dig` understood it otherwise.

...associating the @ sign with the above IPv4 address
would have corrected the behavior of `dig`:
*@24.196.64.53*

>
> ;; ANSWER SECTION:
> 24.196.64.53. 86400 IN A 24.196.64.53
>
> ;; Query time: 27 msec
> ;; SERVER: 127.0.0.53#53(127.0.0.53)
> [...]
>
>
> Any help understanding and addressing this is greatly appreciated!
>
>
>

Hi Jason,

Thanks for your email, brother.

...you should note that:

n#1. each of the command you shared above is not
producing the expected behavior. Please replace
it by the one i suggested, and observe the diff.

n#2. the DNS resolver you try to use appears to not
being, actually, available for any request.
Just try: `dig @24.196.64.53 cm.` or even:
`dig @24.196.64.53 ns1.charter.com.`

Maybe you should, first clarify what you needed to
achieve.

That said! maybe it's a simple matter of changing
a DNS resolver? have you ask to someone within
Charter's network to try with quad9, for example?
...or any other public DNS resolver, to be fair.

Hope this helps!

Shalom,
--sb.

>
> Jason
>

--
Best Regards !

baya.sylvain [AT cmNOG DOT cm]
|cmNOG's Structure <https://www.cmnog.cm/dokuwiki/Structure>|cmNOG's
Surveys <https://survey2.cmnog.cm/>|Subscribe to cmNOG's Mailing List
<https://lists.cmnog.cm/mailman/listinfo/cmnog>|
__
#?LASAINTEBIBLE?|?#?Romains15?:33«*Que LE ?#?DIEU? de ?#?Paix? soit avec
vous tous! ?#?Amen?!*» #?MaPrière? est que tu naisses de
nouveau.#Chrétiennement?
«*Comme une biche soupire après des courants d’eau, ainsi mon âme
soupire après TOI, ô DIEU!*» (#Psaumes42:2)

RE: Charter DNS servers returning invalid IP addresses [ In reply to ]

Greg.Dickinson at bryantbank

Oct 25, 2023, 5:24 PM

Post #7 of 12 (220 views)

Permalink

He didn’t, I was just referencing Mimecast to indicate it was probably larger than Charter’s DNS. Given the reports that someone else gave from Virustotal, it seems it’s more widespread than first reported.

Greg Dickinson, CCNA
Network Engineer

[mid:ac0798f5d04aec2c4c40f9c44056646c8ba72bfb332f7f64d451d99665886e29@getboxer.com/image001.png@01D2DDE3.06E76B70]

From: NANOG <nanog-bounces+greg.dickinson=bryantbank.com@nanog.org> On Behalf Of Bryan Fields
Sent: Wednesday, October 25, 2023 2:51 PM
To: nanog@nanog.org
Subject: Re: Charter DNS servers returning invalid IP addresses

This Message originates from outside Bryant Bank. Please use caution when opening this correspondence, attachments or hyperlinks (URLs). If you have questions, please contact IT Support. Thank you.

On 10/25/23 2:41 PM, Greg Dickinson wrote:
> If it helps troubleshooting, when I click the domain in the email Mimecast
> tells me:
>
> “We checked the website you are trying to access for malicious and
> spear-phishing content and found it likely to be unsafe.”

I saw nothing referencing Mimecast in the original email. Where did you see this?

bonesinjars.com<https://secure-web.cisco.com/1QQZVslnfiRjBtYsKz_oXFZ_6WtTz9sVZ_f0uvfIVeQ2J1pIidIRXn6_jdq-yZOHUogW_K6VK7D0Z1XlMCU582_TcZAVhTdpiq9JxixxYbkJfGT49HwTOslxUlMJyF7N2kN6HGX2LhEGO9n3mr5OwxMrdseSfDjdEqt8CduYaiS4G2LDlbe8Dg2l0amB-7s_zlqczuasnjL0pQdK7KvyQKqUHW_aEjlr6tbm-Ot4IBuFYyVgFvyCt4ELqnUS74BeHrFwprUthd9Gs2KHJTNoJubcCC3u5rmijvsEmteQDOe-1FIdONODBxWbubyjpRccL/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2FFF75CB1GO7fVEN2TNemvK%3Fdomain%3Dbonesinjars.com> is not signed with DNSSEC. This is trivial to setup and might
prevent some of this.

Probably not a good idea for your customers to rely on $BIGCABLE DNS servers.
--
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net<https://secure-web.cisco.com/1IMgbVJ8gycWN6tw-46nbbWjKIELzO75mx5XvOPS1W9lFcp-t5iPb6Z6pom_P03J9roVyNep9lT5w4tQ38iAYBobJI4sey3-XZisw2KcRArZXNJsOQZ0GEd0TR2wOdJLQqdU170lylzPwbJ6UWgjTvMlPaCE_u7WdxOX9gCG7M20OzhYTA0TRtif-nRWHyCQKT7sBiFlPcItRDX_CLbnsg4NIjnn-NlUpGkbnCUe2x_MG5y8ed6IODpcaiWvjb4-1NPVharBH-SfJW3KRxmxaOtf-uxLSK2fZH91teBZ6v6HkeoLdoyWaprqZAWMuY_dd/https%3A%2F%2Fprotect-usb.mimecast.com%2Fs%2F76FZCDwK67fBgZGHZQHy_%3Fdomain%3Dbryanfields.net>

NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, print, save, copy, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete copies. Thank you.

Re: Charter DNS servers returning invalid IP addresses [ In reply to ]

Bryan at bryanfields

Oct 25, 2023, 5:46 PM

Post #8 of 12 (220 views)

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 10/25/23 8:24 PM, Greg Dickinson wrote:
> He didn’t, I was just referencing Mimecast to indicate it was probably
> larger than Charter’s DNS. Given the reports that someone else gave from
> Virustotal, it seems it’s more widespread than first reported.

Is there a link where this can be looked up? I've not seen anything on
their website <https://www.mimecast.com>.

If you're going to quote me, please don't alter what I wrote, and please
trim the relevant parts of it.

Thanks,
- --
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEaESdNosUjpjcN/JhYTmgYVLGkUAFAmU5twEACgkQYTmgYVLG
kUDrcA/+MxVAPG4lHhbcsRkKBHKelmnZmM3hmBaLtenn6wOmFJ1TrehBTVBi3+qy
5tREfH8HQ5E/V5iZe/yAkVWETjptYjbpnDS73D6XPTlZzzEs5Py6uv1TMdgGzZf5
twV00M4kfYmzwffKs0hAXuQ8VkKo9x3S9c3jE6MJhqlxtWFMKEVdJX5xlUid0HqQ
wt9KZxO4WVLdRKTfL9XWBh92Mccdo4rcwVFk4jvQDEnJvUg55TMhXNfQL/3a3PSG
Pc/fGgnS+qEM9XxkMHBpilPHb0CB4YRJ7aldSkOZgL/7LVmQ0JyTd+clDSVCKeck
FjHsWf/PRuBRMJHb3fT8mFDEQUltlTIfJr8gbOrV/GkFd0o9gmTYWLkvnUh70uhj
S8ZXlzZoEue1OW5L4KkiFKP1i878aYhyn+OWbl8iW0P3WxmpNP9ZHOEMzAOLajIE
WMK6DJpKBKl8DEsh4diSOPODySC4+mWnle1ZskGsPjTrLCAY+ukzI0k0idZRrFdV
ywaK6nFKGvXkLMJM00s7ibLwAtnn30epGoWHHErKOBFfaZ12oPERoCaFArdNbLZi
dxITHkYFaF70M+Jav/Jh4bf2baHwU/zTNdmDvgp8CjLgVF19439wgj8IeXrvqFQ+
VWLhlCj5D1GvblWi+GejK2dYLSfIWtIWL2CRCuGhHA1CpCdZvtI=
=Esxb
-----END PGP SIGNATURE-----

Re: Charter DNS servers returning invalid IP addresses [ In reply to ]

bjorn at mork

Oct 26, 2023, 12:10 AM

Post #9 of 12 (220 views)

Permalink

"Jason J. Gullickson via NANOG" <nanog@nanog.org> writes:

> I've been working for a week or so to solve a problem with DNS
> resolution for Charter customers for our domain bonesinjars.com. I've
> reached-out to Charter directly but since I'm not a customer I
> couldn't get any help from them. I was directed by a friend to this
> list in hopes that there may be able to reach a Charter/Spectrum
> engineer who might be able to explain and/or resolve this one.
>
> A dig against Google's DNS servers correctly returns 4 A records:
>
> dig bonesinjars.com 8.8.8.8

Guess you wanted

dig bonesinjars.com @8.8.8.8

?

> ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)

This is not 8.8.8.8

> dig bonesinjars.com 24.196.64.53

still missing @

> ;; SERVER: 127.0.0.53#53(127.0.0.53)

This is not 24.196.64.53

Bjørn

Re: Charter DNS servers returning invalid IP addresses [ In reply to ]

nanog at nanog

Oct 26, 2023, 7:01 AM

Post #10 of 12 (220 views)

Permalink

Maybe the site "has/had" a shopping cart infection at one point that has been found and eradicated at one point ?

> On Oct 26, 2023, at 02:10, Bjørn Mork <bjorn@mork.no> wrote:
>
> "Jason J. Gullickson via NANOG" <nanog@nanog.org> writes:
>
>> I've been working for a week or so to solve a problem with DNS
>> resolution for Charter customers for our domain bonesinjars.com. I've
>> reached-out to Charter directly but since I'm not a customer I
>> couldn't get any help from them. I was directed by a friend to this
>> list in hopes that there may be able to reach a Charter/Spectrum
>> engineer who might be able to explain and/or resolve this one.
>>
>> A dig against Google's DNS servers correctly returns 4 A records:
>>
>> dig bonesinjars.com 8.8.8.8
>
> Guess you wanted
>
> dig bonesinjars.com @8.8.8.8
>
> ?
>
>> ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
>
> This is not 8.8.8.8
>
>> dig bonesinjars.com 24.196.64.53
>
> still missing @
>
>> ;; SERVER: 127.0.0.53#53(127.0.0.53)
>
> This is not 24.196.64.53
>
>
> Bjørn

--

J. Hellenthal

"You think it's the living who will have ultimate judgement over you because the dead will have no claim over your soul. But you may be mistaken.*"

Re: Charter DNS servers returning invalid IP addresses [ In reply to ]

johnl at iecc

Oct 27, 2023, 4:44 AM

Post #11 of 12 (220 views)

Permalink

It appears that J. Hellenthal via NANOG <jhellenthal@dataix.net> said:
>-=-=-=-=-=-
>
>Maybe the site "has/had" a shopping cart infection at one point that has been found and eradicated at one point ?

Virustotal reported it four days ago, which suggests that whatever was
wrong with it is still wrong with it,

The usual (correct) response to "whitelist us because your malware
report is wrong" is "no, because it's not."

R's,
John

Re: Charter DNS servers returning invalid IP addresses [ In reply to ]

nanog at nanog

Nov 1, 2023, 12:44 PM

Post #12 of 12 (195 views)

Permalink

This is very interesting.

I did some poking-around and found other Squarespace customers with
similar issues (in their case it was Google complaining that their sites
were suspicious and therefore couldn't serve Google ads). The leading
theory is that the "canned" Squarespace sites are using an old version
of some library or other piece of code that some software identifies as
malware or otherwise dubious.

If I can figure out exactly what these services are upset about maybe I
can take that to Squarespace and get them to fix it, but I'm not sure
how far I'll get with what I know so far.

- Jason

On 2023-10-27 6:44 am, John Levine wrote:
> It appears that J. Hellenthal via NANOG <jhellenthal@dataix.net> said:
>> -=-=-=-=-=-
>>
>> Maybe the site "has/had" a shopping cart infection at one point that
>> has been found and eradicated at one point ?
>
> Virustotal reported it four days ago, which suggests that whatever was
> wrong with it is still wrong with it,
>
> The usual (correct) response to "whitelist us because your malware
> report is wrong" is "no, because it's not."
>
> R's,
> John

Mailing List Archive

Mailing List Archive

Attached Files: