Thursday 24 February 2011

xn--j6w193g The new Hong Kong IDN (香港)

The HKDNR is releasing the new Chinese IDN top level domain for Hong Kong (香港) on the 10 March, 2011.

The punycode version of this domain is xn--j6w193g with the following DNS infrastructure:

xn--j6w193g nameserver = NS2.CUHK.EDU.HK
xn--j6w193g nameserver = NS1.HKIRC.NET.HK
xn--j6w193g nameserver = ADNS1.BERKELEY.EDU
xn--j6w193g nameserver = HK-NS.PCH.NET
xn--j6w193g nameserver = SEC3.APNIC.NET
xn--j6w193g nameserver = NS3.CUHK.EDU.HK
xn--j6w193g nameserver = ADNS2.BERKELEY.EDU
xn--j6w193g nameserver = NS2.HKIRC.NET.HK
xn--j6w193g nameserver = B.DNS.TW

B.DNS.TW internet address = 210.201.138.58
B.DNS.TW AAAA IPv6 address = 2404:0:10a0::58
NS2.CUHK.EDU.HK internet address = 137.189.6.21
NS2.CUHK.EDU.HK AAAA IPv6 address = 2405:3000:3:60::21
NS3.CUHK.EDU.HK internet address = 202.45.188.39
SEC3.APNIC.NET internet address = 202.12.28.140
SEC3.APNIC.NET AAAA IPv6 address = 2001:dc0:1:0:4777::140
ADNS1.BERKELEY.EDU internet address = 128.32.136.3
ADNS2.BERKELEY.EDU internet address = 128.32.136.14
ADNS2.BERKELEY.EDU AAAA IPv6 address = 2607:f140:ffff:fffe::e
HK-NS.PCH.NET internet address = 204.61.216.46
HK-NS.PCH.NET AAAA IPv6 address = 2001:500:14:6046:ad::1

Friday 18 February 2011

DNS EventID 5502

Ever seen EventID 5502 in the windows DNS event log, here is some investigation into them:

The DNS server received a bad TCP-based DNS message from 78.251.84.232. The packet was rejected or ignored. The event data contains the DNS packet.

0000: 49 54 4f 4e 20 53 69 73 ITON Sis
0008: 3a 70 6d 6e 20 53 49 50 :pmn SIP
0010: 2f 32 2e 30 0d 0a 56 69 /2.0..Vi
0018: 61 3a 20 53 49 50 2f 32 a: SIP/2
0020: 2e 30 2f 54 43 50 20 6e .0/TCP n
0028: 6d 3b 62 72 61 6e 63 68 m;branch
0030: 3d 66 6f 6f 0d 0a 46 72 =foo..Fr
0038: 6f 6d 3a 20 3c 73 69 70 om:
0048: 74 61 67 3d 72 6f 6f 74 tag=root
0050: 0d 0a 54 6f 3a 20 3c 73 ..To: ..C
0068: 6c 2d 49 44 3a 20 35 30 l-ID: 50
0070: 30 30 30 0d 0a 43 53 65 000..CSe
0078: 71 3a 20 34 32 20 4f 50 q: 42 OP

Which, read as a block is:
ITON Sis:pmn SIP/2.0..Via: SIP/2.0/TCP n m;branch=foo..From: ;tag=root..To: ..Call-ID: 50000..CSeq: 42 OP

As far as I can make out that SIP is a VOIP system (Voice over IP), where someone has attempted to connect via VOIP to the DNS port of the nameserver.

Another request was;

0000: 20 54 2f 6e 63 69 25 65 T/nci%e
0008: 30 32 6f 70 72 74 73 25 02oprts%
0010: 32 43 2f 54 72 69 25 36 2C/Tri%6
0018: 45 69 74 79 2e 74 78 74 Eity.txt
0020: 25 32 65 62 61 6b 20 48 %2ebak H
0028: 54 54 50 2f 31 2e 30 0d TTP/1.0.
0030: 0a 0d 0a 00 00 00 00 00 ........

Which reads as €rts%2C/Tri%6Eity.txt%2ebak - €rts,/Trinity.txt.bak

As a quote from "http://www.uusikaupunki.fi/~bgt/blog/bgt_mindscape_0805.php"

GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0

[...] Trinity.txt.bak, which is a file name chosen as one that the software developers are sure enough that can't be found on server and does provide with a 404 error message. Apparently this string in the logs suggests a probe by a piece of software calles Nmap ...

Ironically enough, the character "Trinity" from the Matrix uses NMap to hack into
a powerstation "http://www.youtube.com/watch?v=0TJuipCrjZQ", and possibly my DNS server also! :)