Strange DNS host name response

Question

I've recently experienced an XML-RPC attack vs wordpress from a pair of machines for which dig -x returns a very very odd looking result:

;; ANSWER SECTION:
54.249.96.191.in-addr.arpa. 60  IN  PTR DEDICATED.SERVER.

I've never seen a TLD named DEDICATED before. I get the same result from my home machine and within amazon...

If you're looking to find the responsible party for this IP, `whois` will be more useful. — EEAA, Mar 14 '17 at 12:41

HBruijn · Accepted Answer · 2017-03-14T12:53:55.387

9

There is no actual requirement that PTR records return valid host names.

_{Unfortunately.}

The typical approach to find the owner or ISP that manages an IP-address (range) is a WHOIS lookup.

In this case the 191.96.249/24 range is managed by company called Dmzhost Limited with abuse AT DMZHOST.CO as their email contact.

edited Mar 14 '17 at 12:53

answered Mar 14 '17 at 12:38

HBruijn

So DNS has a built in "cloak me" mechanism... fabulous. – Gus Mar 14 '17 at 12:41
whois wasn't installed, but now it is. Previously I had assume dig would be reliable :) thx – Gus Mar 14 '17 at 12:53
2

@Gus DNS has no such thing. – EEAA Mar 14 '17 at 13:25

score 0 · Answer 2 · answered Mar 18 '17 at 14:17

0

The guy who runs those servers (chris@dmzhost.co) is as dodgy as they come, and he allows his servers to be used for DDoS:

answered Mar 18 '17 at 14:17

Alek Boyd

1

I realise your username is a fairly big clue, but you might want to make the fact you are the author of that post clearer (see e.g. https://serverfault.com/help/promotion) - and extend your answer a little to reflect the contents of both your medium post, and the post you made on your own blog. – iwaseatenbyagrue Mar 19 '17 at 10:01

2 Answers2