Unqualified Host is Resolving Publicly
I'm not sure what else to say other than I'm pretty sure this shouldn't happen. Looking at other providers this simple unqualified host name is not receiving a return record. Upon checking some secondary Profiles I've created, these DNS servers also do NOT return this record. For my one primary however, it looks as though this is returning some random EC2 host on AWS.
NextDNS Primary Profile
└─(21:56:51 on main ✭)──> dig @45.90.28.174 atlantis
; <<>> DiG 9.10.6 <<>> @45.90.28.174 atlantis
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18971
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;atlantis. IN A
;; ANSWER SECTION:
atlantis. 60 IN A 3.141.96.53
atlantis. 60 IN A 3.20.137.44
;; Query time: 53 msec
;; SERVER: 45.90.28.174#53(45.90.28.174)
;; WHEN: Sun Aug 27 21:57:01 EDT 2023
;; MSG SIZE rcvd: 69
└─(21:57:01 on main ✭)──> nslookup 3.141.96.53
Server: ******myInternalRouterIpRedacted******
Address: ******myInternalRouterIpRedacted******#53
Non-authoritative answer:
53.96.141.3.in-addr.arpa name = ec2-3-141-96-53.us-east-2.compute.amazonaws.com.
Authoritative answers can be found from:
Secondary NextDNS Profiles
└─(22:09:17 on main ✭)──> dig @45.90.28.161 atlantis
; <<>> DiG 9.10.6 <<>> @45.90.28.161 atlantis
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7633
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;atlantis. IN A
;; AUTHORITY SECTION:
. 2993 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023082701 1800 900 604800 86400
;; Query time: 56 msec
;; SERVER: 45.90.28.161#53(45.90.28.161)
;; WHEN: Sun Aug 27 22:09:33 EDT 2023
;; MSG SIZE rcvd: 112
└─(21:57:23 on main ✭)──> dig @45.90.28.239 atlantis
; <<>> DiG 9.10.6 <<>> @45.90.28.239 atlantis
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2324
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;atlantis. IN A
;; AUTHORITY SECTION:
. 3029 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023082701 1800 900 604800 86400
;; Query time: 54 msec
;; SERVER: 45.90.28.239#53(45.90.28.239)
;; WHEN: Sun Aug 27 22:08:57 EDT 2023
;; MSG SIZE rcvd: 112
Other Public Providers
└─(21:56:18 on main ✭)──> dig @1.1.1.1 atlantis
; <<>> DiG 9.10.6 <<>> @1.1.1.1 atlantis
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49468
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;atlantis. IN A
;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023082701 1800 900 604800 86400
;; Query time: 65 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Aug 27 21:56:39 EDT 2023
;; MSG SIZE rcvd: 112
└─(21:56:39 on main ✭)──> dig @8.8.8.8 atlantis
; <<>> DiG 9.10.6 <<>> @8.8.8.8 atlantis
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20265
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;atlantis. IN A
;; AUTHORITY SECTION:
. 86306 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023082701 1800 900 604800 86400
;; Query time: 14 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 27 21:56:51 EDT 2023
;; MSG SIZE rcvd: 112
5 replies
-
You probably have the web3 feature enabled.
-
I also see this as well but with `kubernetes.default` responding with this same IP address. It sounds like some form of Web3 DNS Hijacking.
Out of curiosity, what providers does NextDNS resolve to? Looking at like eth.dns or "unstoppable domains" none of these provide `.default` "tlds", or in OPs case `atlantis`.
So I guess, where NextDNS gets their root of trust for Web3 domains? I ended up needing to disable the feature because it looks like I was leaking traffic from my LAN to that domain (and others) all to the same AWS addresses:
- 3.20.137.44
- 3.141.96.53
Content aside
- 1 yr agoLast active
- 5Replies
- 115Views
-
4
Following