The HKDNR is releasing the new Chinese IDN top level domain for Hong Kong (香港) on the 10 March, 2011.
The punycode version of this domain is xn--j6w193g with the following DNS infrastructure:
xn--j6w193g nameserver = NS2.CUHK.EDU.HK
xn--j6w193g nameserver = NS1.HKIRC.NET.HK
xn--j6w193g nameserver = ADNS1.BERKELEY.EDU
xn--j6w193g nameserver = HK-NS.PCH.NET
xn--j6w193g nameserver = SEC3.APNIC.NET
xn--j6w193g nameserver = NS3.CUHK.EDU.HK
xn--j6w193g nameserver = ADNS2.BERKELEY.EDU
xn--j6w193g nameserver = NS2.HKIRC.NET.HK
xn--j6w193g nameserver = B.DNS.TW
B.DNS.TW internet address = 210.201.138.58
B.DNS.TW AAAA IPv6 address = 2404:0:10a0::58
NS2.CUHK.EDU.HK internet address = 137.189.6.21
NS2.CUHK.EDU.HK AAAA IPv6 address = 2405:3000:3:60::21
NS3.CUHK.EDU.HK internet address = 202.45.188.39
SEC3.APNIC.NET internet address = 202.12.28.140
SEC3.APNIC.NET AAAA IPv6 address = 2001:dc0:1:0:4777::140
ADNS1.BERKELEY.EDU internet address = 128.32.136.3
ADNS2.BERKELEY.EDU internet address = 128.32.136.14
ADNS2.BERKELEY.EDU AAAA IPv6 address = 2607:f140:ffff:fffe::e
HK-NS.PCH.NET internet address = 204.61.216.46
HK-NS.PCH.NET AAAA IPv6 address = 2001:500:14:6046:ad::1
Thursday, 24 February 2011
Friday, 18 February 2011
DNS EventID 5502
Ever seen EventID 5502 in the windows DNS event log, here is some investigation into them:
The DNS server received a bad TCP-based DNS message from 78.251.84.232. The packet was rejected or ignored. The event data contains the DNS packet.
0000: 49 54 4f 4e 20 53 69 73 ITON Sis
0008: 3a 70 6d 6e 20 53 49 50 :pmn SIP
0010: 2f 32 2e 30 0d 0a 56 69 /2.0..Vi
0018: 61 3a 20 53 49 50 2f 32 a: SIP/2
0020: 2e 30 2f 54 43 50 20 6e .0/TCP n
0028: 6d 3b 62 72 61 6e 63 68 m;branch
0030: 3d 66 6f 6f 0d 0a 46 72 =foo..Fr
0038: 6f 6d 3a 20 3c 73 69 70 om:
0048: 74 61 67 3d 72 6f 6f 74 tag=root
0050: 0d 0a 54 6f 3a 20 3c 73 ..To: ..C
0068: 6c 2d 49 44 3a 20 35 30 l-ID: 50
0070: 30 30 30 0d 0a 43 53 65 000..CSe
0078: 71 3a 20 34 32 20 4f 50 q: 42 OP
Which, read as a block is:
ITON Sis:pmn SIP/2.0..Via: SIP/2.0/TCP n m;branch=foo..From:;tag=root..To: ..Call-ID: 50000..CSeq: 42 OP
As far as I can make out that SIP is a VOIP system (Voice over IP), where someone has attempted to connect via VOIP to the DNS port of the nameserver.
Another request was;
0000: 20 54 2f 6e 63 69 25 65 T/nci%e
0008: 30 32 6f 70 72 74 73 25 02oprts%
0010: 32 43 2f 54 72 69 25 36 2C/Tri%6
0018: 45 69 74 79 2e 74 78 74 Eity.txt
0020: 25 32 65 62 61 6b 20 48 %2ebak H
0028: 54 54 50 2f 31 2e 30 0d TTP/1.0.
0030: 0a 0d 0a 00 00 00 00 00 ........
Which reads as €rts%2C/Tri%6Eity.txt%2ebak - €rts,/Trinity.txt.bak
As a quote from "http://www.uusikaupunki.fi/~bgt/blog/bgt_mindscape_0805.php"
GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
[...] Trinity.txt.bak, which is a file name chosen as one that the software developers are sure enough that can't be found on server and does provide with a 404 error message. Apparently this string in the logs suggests a probe by a piece of software calles Nmap ...
Ironically enough, the character "Trinity" from the Matrix uses NMap to hack into
a powerstation "http://www.youtube.com/watch?v=0TJuipCrjZQ", and possibly my DNS server also! :)
The DNS server received a bad TCP-based DNS message from 78.251.84.232. The packet was rejected or ignored. The event data contains the DNS packet.
0000: 49 54 4f 4e 20 53 69 73 ITON Sis
0008: 3a 70 6d 6e 20 53 49 50 :pmn SIP
0010: 2f 32 2e 30 0d 0a 56 69 /2.0..Vi
0018: 61 3a 20 53 49 50 2f 32 a: SIP/2
0020: 2e 30 2f 54 43 50 20 6e .0/TCP n
0028: 6d 3b 62 72 61 6e 63 68 m;branch
0030: 3d 66 6f 6f 0d 0a 46 72 =foo..Fr
0038: 6f 6d 3a 20 3c 73 69 70 om:
0048: 74 61 67 3d 72 6f 6f 74 tag=root
0050: 0d 0a 54 6f 3a 20 3c 73 ..To: ..C
0068: 6c 2d 49 44 3a 20 35 30 l-ID: 50
0070: 30 30 30 0d 0a 43 53 65 000..CSe
0078: 71 3a 20 34 32 20 4f 50 q: 42 OP
Which, read as a block is:
ITON Sis:pmn SIP/2.0..Via: SIP/2.0/TCP n m;branch=foo..From:
As far as I can make out that SIP is a VOIP system (Voice over IP), where someone has attempted to connect via VOIP to the DNS port of the nameserver.
Another request was;
0000: 20 54 2f 6e 63 69 25 65 T/nci%e
0008: 30 32 6f 70 72 74 73 25 02oprts%
0010: 32 43 2f 54 72 69 25 36 2C/Tri%6
0018: 45 69 74 79 2e 74 78 74 Eity.txt
0020: 25 32 65 62 61 6b 20 48 %2ebak H
0028: 54 54 50 2f 31 2e 30 0d TTP/1.0.
0030: 0a 0d 0a 00 00 00 00 00 ........
Which reads as €rts%2C/Tri%6Eity.txt%2ebak - €rts,/Trinity.txt.bak
As a quote from "http://www.uusikaupunki.fi/~bgt/blog/bgt_mindscape_0805.php"
GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
[...] Trinity.txt.bak, which is a file name chosen as one that the software developers are sure enough that can't be found on server and does provide with a 404 error message. Apparently this string in the logs suggests a probe by a piece of software calles Nmap ...
Ironically enough, the character "Trinity" from the Matrix uses NMap to hack into
a powerstation "http://www.youtube.com/watch?v=0TJuipCrjZQ", and possibly my DNS server also! :)
Subscribe to:
Posts (Atom)