Friday 8 April 2011

Reverse DNS lookup using nslookup

It's easy to get the IP address from a domain name, just ping it.

C:\Users\Administrator>ping s15243155.onlinehome-server.info

Pinging s15243155.onlinehome-server.info [212.227.102.68] with 32 bytes of data

Or use nsLookup to get the A record, which does the same

C:\Users\Administrator>nslookup -q=a s15243155.onlinehome-server.info
Server: my.router
Address: 192.168.1.1

Non-authoritative answer:
Name: s15243155.onlinehome-server.info
Address: 212.227.102.68

To reverse the lookup, then you use the special "in-arpa.arpa" domain with the IP address backwards... like this

C:\Users\Administrator>nslookup -q=ptr 68.102.227.212.in-addr.arpa
Server: my.router
Address: 192.168.1.1

Non-authoritative answer:
68.102.227.212.in-addr.arpa name = s15243155.onlinehome-server.info

102.227.212.in-addr.arpa nameserver = nsa2.schlund.de
102.227.212.in-addr.arpa nameserver = nsa.schlund.de
nsa.schlund.de internet address = 195.20.224.98
nsa2.schlund.de internet address = 195.20.244.5

This really comes into play when fixing this error in ZoneCheck:

w: Reverse for the nameserver IP address doesn't match
  • ns1.xyz.net/86.xx.xx.194
To Fix this, click Start>Run>dnsmgmt.msc

Select Reverse Lookup zones, select the .in-addr.arpa.

Right Click, Select "New Pointer (PTR)", enter the first 3 digits of the IP into the "Host IP Address" and enter the nameserver domain into "Host name", then press OK




Thursday 24 February 2011

xn--j6w193g The new Hong Kong IDN (香港)

The HKDNR is releasing the new Chinese IDN top level domain for Hong Kong (香港) on the 10 March, 2011.

The punycode version of this domain is xn--j6w193g with the following DNS infrastructure:

xn--j6w193g nameserver = NS2.CUHK.EDU.HK
xn--j6w193g nameserver = NS1.HKIRC.NET.HK
xn--j6w193g nameserver = ADNS1.BERKELEY.EDU
xn--j6w193g nameserver = HK-NS.PCH.NET
xn--j6w193g nameserver = SEC3.APNIC.NET
xn--j6w193g nameserver = NS3.CUHK.EDU.HK
xn--j6w193g nameserver = ADNS2.BERKELEY.EDU
xn--j6w193g nameserver = NS2.HKIRC.NET.HK
xn--j6w193g nameserver = B.DNS.TW

B.DNS.TW internet address = 210.201.138.58
B.DNS.TW AAAA IPv6 address = 2404:0:10a0::58
NS2.CUHK.EDU.HK internet address = 137.189.6.21
NS2.CUHK.EDU.HK AAAA IPv6 address = 2405:3000:3:60::21
NS3.CUHK.EDU.HK internet address = 202.45.188.39
SEC3.APNIC.NET internet address = 202.12.28.140
SEC3.APNIC.NET AAAA IPv6 address = 2001:dc0:1:0:4777::140
ADNS1.BERKELEY.EDU internet address = 128.32.136.3
ADNS2.BERKELEY.EDU internet address = 128.32.136.14
ADNS2.BERKELEY.EDU AAAA IPv6 address = 2607:f140:ffff:fffe::e
HK-NS.PCH.NET internet address = 204.61.216.46
HK-NS.PCH.NET AAAA IPv6 address = 2001:500:14:6046:ad::1

Friday 18 February 2011

DNS EventID 5502

Ever seen EventID 5502 in the windows DNS event log, here is some investigation into them:

The DNS server received a bad TCP-based DNS message from 78.251.84.232. The packet was rejected or ignored. The event data contains the DNS packet.

0000: 49 54 4f 4e 20 53 69 73 ITON Sis
0008: 3a 70 6d 6e 20 53 49 50 :pmn SIP
0010: 2f 32 2e 30 0d 0a 56 69 /2.0..Vi
0018: 61 3a 20 53 49 50 2f 32 a: SIP/2
0020: 2e 30 2f 54 43 50 20 6e .0/TCP n
0028: 6d 3b 62 72 61 6e 63 68 m;branch
0030: 3d 66 6f 6f 0d 0a 46 72 =foo..Fr
0038: 6f 6d 3a 20 3c 73 69 70 om:
0048: 74 61 67 3d 72 6f 6f 74 tag=root
0050: 0d 0a 54 6f 3a 20 3c 73 ..To: ..C
0068: 6c 2d 49 44 3a 20 35 30 l-ID: 50
0070: 30 30 30 0d 0a 43 53 65 000..CSe
0078: 71 3a 20 34 32 20 4f 50 q: 42 OP

Which, read as a block is:
ITON Sis:pmn SIP/2.0..Via: SIP/2.0/TCP n m;branch=foo..From: ;tag=root..To: ..Call-ID: 50000..CSeq: 42 OP

As far as I can make out that SIP is a VOIP system (Voice over IP), where someone has attempted to connect via VOIP to the DNS port of the nameserver.

Another request was;

0000: 20 54 2f 6e 63 69 25 65 T/nci%e
0008: 30 32 6f 70 72 74 73 25 02oprts%
0010: 32 43 2f 54 72 69 25 36 2C/Tri%6
0018: 45 69 74 79 2e 74 78 74 Eity.txt
0020: 25 32 65 62 61 6b 20 48 %2ebak H
0028: 54 54 50 2f 31 2e 30 0d TTP/1.0.
0030: 0a 0d 0a 00 00 00 00 00 ........

Which reads as €rts%2C/Tri%6Eity.txt%2ebak - €rts,/Trinity.txt.bak

As a quote from "http://www.uusikaupunki.fi/~bgt/blog/bgt_mindscape_0805.php"

GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0

[...] Trinity.txt.bak, which is a file name chosen as one that the software developers are sure enough that can't be found on server and does provide with a 404 error message. Apparently this string in the logs suggests a probe by a piece of software calles Nmap ...

Ironically enough, the character "Trinity" from the Matrix uses NMap to hack into
a powerstation "http://www.youtube.com/watch?v=0TJuipCrjZQ", and possibly my DNS server also! :)