Unqualified Host is Resolving Publicly

Shawn_Mix
8 mths ago
5replies

I'm not sure what else to say other than I'm pretty sure this shouldn't happen. Looking at other providers this simple unqualified host name is not receiving a return record. Upon checking some secondary Profiles I've created, these DNS servers also do NOT return this record. For my one primary however, it looks as though this is returning some random EC2 host on AWS.

NextDNS Primary Profile

└─(21:56:51 on main ✭)──> dig @45.90.28.174 atlantis

; <<>> DiG 9.10.6 <<>> @45.90.28.174 atlantis
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18971
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;atlantis. IN A

;; ANSWER SECTION:
atlantis. 60 IN A 3.141.96.53
atlantis. 60 IN A 3.20.137.44

;; Query time: 53 msec
;; SERVER: 45.90.28.174#53(45.90.28.174)
;; WHEN: Sun Aug 27 21:57:01 EDT 2023
;; MSG SIZE rcvd: 69

└─(21:57:01 on main ✭)──> nslookup 3.141.96.53
Server: ******myInternalRouterIpRedacted******
Address: ******myInternalRouterIpRedacted******#53

Non-authoritative answer:
53.96.141.3.in-addr.arpa name = ec2-3-141-96-53.us-east-2.compute.amazonaws.com.

Authoritative answers can be found from:

Secondary NextDNS Profiles

└─(22:09:17 on main ✭)──> dig @45.90.28.161 atlantis

; <<>> DiG 9.10.6 <<>> @45.90.28.161 atlantis
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7633
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;atlantis. IN A

;; AUTHORITY SECTION:
. 2993 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023082701 1800 900 604800 86400

;; Query time: 56 msec
;; SERVER: 45.90.28.161#53(45.90.28.161)
;; WHEN: Sun Aug 27 22:09:33 EDT 2023
;; MSG SIZE rcvd: 112

└─(21:57:23 on main ✭)──> dig @45.90.28.239 atlantis

; <<>> DiG 9.10.6 <<>> @45.90.28.239 atlantis
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2324
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;atlantis. IN A

;; AUTHORITY SECTION:
. 3029 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023082701 1800 900 604800 86400

;; Query time: 54 msec
;; SERVER: 45.90.28.239#53(45.90.28.239)
;; WHEN: Sun Aug 27 22:08:57 EDT 2023
;; MSG SIZE rcvd: 112

Other Public Providers

└─(21:56:18 on main ✭)──> dig @1.1.1.1 atlantis

; <<>> DiG 9.10.6 <<>> @1.1.1.1 atlantis
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49468
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;atlantis. IN A

;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023082701 1800 900 604800 86400

;; Query time: 65 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Aug 27 21:56:39 EDT 2023
;; MSG SIZE rcvd: 112

└─(21:56:39 on main ✭)──> dig @8.8.8.8 atlantis

; <<>> DiG 9.10.6 <<>> @8.8.8.8 atlantis
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20265
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;atlantis. IN A

;; AUTHORITY SECTION:
. 86306 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023082701 1800 900 604800 86400

;; Query time: 14 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 27 21:56:51 EDT 2023
;; MSG SIZE rcvd: 112

- NextDNs
- 8 mths ago
- Reported - view
You probably have the web3 feature enabled.
- Shawn_Mix
  
  8 mths ago
  
  Reported - view
  Thank you! I do see that is enabled on at least one of my profiles. I'm not 100% in the know about everything web3 related, but I thought they still adhere to a basic premise of qualified domain name still requiring a format similar to `prefix.suffix` - this seems to be simply prefix(dot) only. While I'm not extensively doing anything in this realm, I hope this doesn't indicate I'll have issues once I do. Will also look at my router settings to restrict passing local hosts to upstream DNS for now as a solution.
- Peter.7
- 7 mths ago
- Reported - view
I also see this as well but with `kubernetes.default` responding with this same IP address. It sounds like some form of Web3 DNS Hijacking.

Out of curiosity, what providers does NextDNS resolve to? Looking at like eth.dns or "unstoppable domains" none of these provide `.default` "tlds", or in OPs case `atlantis`.

So I guess, where NextDNS gets their root of trust for Web3 domains? I ended up needing to disable the feature because it looks like I was leaking traffic from my LAN to that domain (and others) all to the same AWS addresses:

- 3.20.137.44

- 3.141.96.53
- Martheen
  
  7 mths ago
  
  Reported - view
  Peter Querying the NS records with NextDNS web3 enabled tells me atlantis, default, and random non-existent TLD are resolved by Namecheap NS. Namecheap is selling Handshake domain, and also promote NextDNS as one of the way to access Handshake, I'm guessing there's a deal there between NextDNS and Namecheap that non-ICANN domains that aren't claimed by other root are then forwarded to Namecheap which then resolve any TLD.
- Peter.7
  
  7 mths ago
  
  Reported - view
  I see, thank you! (I should have thought to do an NS lookup :P). It's interesting `atlantis` and `default` are root TLDs. It doesn't look like Namecheap outright sells / brokers TLDs but rather domains. It doesn't even seem like `default` is a valid TLD.

Content aside

7 mths agoLast active
5Replies
98Views
4 Following

Unqualified Host is Resolving Publicly

5 replies

Content aside

Home

Tags