plazmatron Posted July 25, 2012 Share Posted July 25, 2012 So I was tinkering around with domain name lookups and such in preperation for an exam, and happened to do a whois on google.com. In the search results, I get things like this: Server Name: GOOGLE.COM.ZZZZZZZZZZZZZZZZZZZZZZZZZZZ.LOVE.AND.TOLERANCE.THE-WONDERBOLTS.COM IP Address: 50.62.130.9 Registrar: GODADDY.COM, LLC Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Server Name: GOOGLE.COM.ZZZZZZZZZZZZZZZZZZZZZZZZZZ.HAVENDATA.COM IP Address: 50.23.75.44 Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM Whois Server: whois.PublicDomainRegistry.com Referral URL: http://www.PublicDomainRegistry.com Server Name: GOOGLE.COM.ZZZZZZZZZZZZZ.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM IP Address: 209.126.190.70 Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM Whois Server: whois.PublicDomainRegistry.com Referral URL: http://www.PublicDomainRegistry.com Server Name: GOOGLE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM IP Address: 69.41.185.195 Registrar: TUCOWS.COM CO. Whois Server: whois.tucows.com Referral URL: http://domainhelp.opensrs.net Server Name: GOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM IP Address: 217.107.217.167 Registrar: DOMAINCONTEXT, INC. Whois Server: whois.domaincontext.com Referral URL: http://www.domaincontext.com Server Name: GOOGLE.COM.PEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEENIS.COM IP Address: 8.8.8.8 Registrar: DOMAIN.COM, LLC Whois Server: whois.domain.com Referral URL: http://www.domain.com Server Name: GOOGLE.COM.PE Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM Whois Server: whois.PublicDomainRegistry.com Referral URL: http://www.PublicDomainRegistry.com Server Name: GOOGLE.COM.PAVLINOFF-55-11-44.COM IP Address: 64.29.154.69 Registrar: HOSTOPIA.COM INC. D/B/A APLUS.NET Whois Server: whois.names4ever.com Referral URL: http://www.aplus.net Server Name: GOOGLE.COM.MY Registrar: WILD WEST DOMAINS, LLC Whois Server: whois.wildwestdomains.com Referral URL: http://www.wildwestdomains.com Server Name: GOOGLE.COM.MX Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM Whois Server: whois.PublicDomainRegistry.com Referral URL: http://www.PublicDomainRegistry.com Server Name: GOOGLE.COM.LASERPIPE.COM IP Address: 209.85.227.106 Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM Whois Server: whois.PublicDomainRegistry.com Referral URL: http://www.PublicDomainRegistry.com Server Name: GOOGLE.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET IP Address: 217.148.161.5 Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Who is screwing with the whois records, and how is it done?? Quote Link to comment Share on other sites More sharing options...
digip Posted July 25, 2012 Share Posted July 25, 2012 (edited) Guess it depends on 1, what DNS servers your ISP uses and if you did the lookups locally, or 2, the remote site that does the lookups, had its DNS cache poisoned, which sadly to say, is still possible with nearly any site still today. http://whois.domaint....com/google.com shows the real deal, but at one time, even they had showed messed with data. Its a matter of how DNS works in general, and just about any site can fall victim to it. I believe DNSSEC is supposed to help prevent some of this from manipulating the IP addresses being pointed to rouge domains or IP's, but not sure how that effects actual WhoIS lookups. The internet in general is full of holes. DNS is just one of them, where, its not a flaw so much as its default behavior and a feature, just like ARP poisoning and MITM attacks, the protocols work as designed, even if designed to allow attacks. To fix it, would mean reinventing all of it from the ground up, so "fixes" or simple work around that don't break the current systems in place, are setup, like DNSSEC for example. If its a computer, and wired to anything, its more than likely vulnerable to something. That just goes with the territory. Another thing you can do, is nslookups from your local machine, and see what the name resolves to for IP info, then do an nslookup on the IP, and make sure they match relatively to the same systems. In doing so, your system should also tell you the DNS servers you are using. I personally use OpenDNS, just because they tend to be a little bit more accurate, and can also safeguard against some of these kinds of attacks, but won't prevent your local system from being tampered with and what DNS servers its told to use. Edited July 25, 2012 by digip Quote Link to comment Share on other sites More sharing options...
plazmatron Posted July 26, 2012 Author Share Posted July 26, 2012 Thanks for that! I Use Googles own DNS servers for name resolution, since my service provider started hijacking DNS, and failing to resolve sites like hak5! I will check out OpenDNS, and probaly query that in future..... :-D Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.