It's Monday, 2005-03-07, and time to confront another DNS root server abuser.
64.124.43.0 is #1 in F-root's PAO1 instance client subnet list. About half are classified as root-server.net queries, and the other half are "Other."
tcpdump:
21:50:46.381462 64.124.43.174.60201 > 192.5.5.241.53: 32381 A6? M.ROOT-SERVERS.NET. (36) (DF) 21:50:46.381738 64.124.43.174.60201 > 192.5.5.241.53: 8689 AAAA? M.ROOT-SERVERS.NET. (36) (DF) 21:50:46.382003 64.124.43.174.60201 > 192.5.5.241.53: 57393 A? M.ROOT-SERVERS.NET. (36) (DF) 21:50:46.382212 64.124.43.174.60201 > 192.5.5.241.53: 7454 A6? L.ROOT-SERVERS.NET. (36) (DF) 21:50:46.382462 64.124.43.174.60201 > 192.5.5.241.53: 50649 AAAA? L.ROOT-SERVERS.NET. (36) (DF) 21:50:46.382836 64.124.43.174.60201 > 192.5.5.241.53: 22887 A? L.ROOT-SERVERS.NET. (36) (DF) 21:50:46.383086 64.124.43.174.60201 > 192.5.5.241.53: 51870 A6? K.ROOT-SERVERS.NET. (36) (DF) 21:50:46.383336 64.124.43.174.60201 > 192.5.5.241.53: 20171 AAAA? K.ROOT-SERVERS.NET. (36) (DF) 21:50:46.383586 64.124.43.174.60201 > 192.5.5.241.53: 56246 A? K.ROOT-SERVERS.NET. (36) (DF) 21:50:46.383873 64.124.43.174.60201 > 192.5.5.241.53: 16339 A6? J.ROOT-SERVERS.NET. (36) (DF) 21:50:46.384101 64.124.43.174.60201 > 192.5.5.241.53: 29009 AAAA? J.ROOT-SERVERS.NET. (36) (DF) 21:50:46.384371 64.124.43.174.60201 > 192.5.5.241.53: 22179 A? J.ROOT-SERVERS.NET. (36) (DF) 21:50:46.384717 64.124.43.174.60201 > 192.5.5.241.53: 47357 A6? I.ROOT-SERVERS.NET. (36) (DF) 21:50:46.384960 64.124.43.174.60201 > 192.5.5.241.53: 35724 AAAA? I.ROOT-SERVERS.NET. (36) (DF) 21:50:46.385233 64.124.43.174.60201 > 192.5.5.241.53: 49742 A? I.ROOT-SERVERS.NET. (36) (DF) 21:50:46.385479 64.124.43.174.60201 > 192.5.5.241.53: 51389 A6? H.ROOT-SERVERS.NET. (36) (DF) 21:50:46.385719 64.124.43.174.60201 > 192.5.5.241.53: 31041 AAAA? H.ROOT-SERVERS.NET. (36) (DF) 21:50:46.386001 64.124.43.174.60201 > 192.5.5.241.53: 28242 A? H.ROOT-SERVERS.NET. (36) (DF) 21:50:46.386231 64.124.43.174.60201 > 192.5.5.241.53: 55560 A6? G.ROOT-SERVERS.NET. (36) (DF) 21:50:46.386586 64.124.43.174.60201 > 192.5.5.241.53: 48631 AAAA? G.ROOT-SERVERS.NET. (36) (DF) 21:50:46.386856 64.124.43.174.60201 > 192.5.5.241.53: 15939 A? G.ROOT-SERVERS.NET. (36) (DF) 21:50:46.387085 64.124.43.174.60201 > 192.5.5.241.53: 59251 A6? F.ROOT-SERVERS.NET. (36) (DF) 21:50:46.387336 64.124.43.174.60201 > 192.5.5.241.53: 30365 AAAA? F.ROOT-SERVERS.NET. (36) (DF) 21:50:46.387584 64.124.43.174.60201 > 192.5.5.241.53: 49837 A? F.ROOT-SERVERS.NET. (36) (DF) 21:50:46.387874 64.124.43.174.60201 > 192.5.5.241.53: 23024 A6? E.ROOT-SERVERS.NET. (36) (DF) 21:50:46.388212 64.124.43.174.60201 > 192.5.5.241.53: 42568 AAAA? E.ROOT-SERVERS.NET. (36) (DF) 21:50:46.388371 64.124.43.174.60201 > 192.5.5.241.53: 28350 A? E.ROOT-SERVERS.NET. (36) (DF) 21:50:46.388717 64.124.43.174.60201 > 192.5.5.241.53: 19371 A6? D.ROOT-SERVERS.NET. (36) (DF) ... 21:53:40.024650 64.124.43.173.35658 > 192.5.5.241.53: 31887 [1au] A6? pdns4.register.com. (47) (DF) 21:53:40.024841 64.124.43.173.35658 > 192.5.5.241.53: 23426 [1au] AAAA? pdns4.register.com. (47) (DF) 21:53:40.024880 64.124.43.173.35658 > 192.5.5.241.53: 50072 [1au] A? pdns4.register.com. (47) (DF) 21:53:40.024941 64.124.43.173.35658 > 192.5.5.241.53: 50777 [1au] A6? pdns3.register.com. (47) (DF) 21:53:40.025003 64.124.43.173.35658 > 192.5.5.241.53: 3691 [1au] AAAA? pdns3.register.com. (47) (DF) 21:53:40.025090 64.124.43.173.35658 > 192.5.5.241.53: 61737 [1au] A? pdns3.register.com. (47) (DF) 21:53:40.380565 64.124.43.174.60201 > 192.5.5.241.53: 29921 [1au] A6? pdns4.register.com. (47) (DF) 21:53:40.380776 64.124.43.174.60201 > 192.5.5.241.53: 47764 [1au] AAAA? pdns4.register.com. (47) (DF) 21:53:40.381006 64.124.43.174.60201 > 192.5.5.241.53: 31898 [1au] A? pdns4.register.com. (47) (DF) 21:53:40.381256 64.124.43.174.60201 > 192.5.5.241.53: 45035 [1au] A6? pdns3.register.com. (47) (DF) 21:53:40.381466 64.124.43.174.60201 > 192.5.5.241.53: 47048 [1au] AAAA? pdns3.register.com. (47) (DF) 21:53:40.381630 64.124.43.174.60201 > 192.5.5.241.53: 43905 [1au] A? pdns3.register.com. (47) (DF) 21:53:41.373299 64.124.43.174.60201 > 192.5.5.241.53: 59808 [1au] A6? pdns2.register.com. (47) (DF) 21:53:41.373549 64.124.43.174.60201 > 192.5.5.241.53: 5630 [1au] AAAA? pdns2.register.com. (47) (DF) 21:53:41.373799 64.124.43.174.60201 > 192.5.5.241.53: 40685 [1au] A? pdns2.register.com. (47) (DF) 21:53:41.374070 64.124.43.174.60201 > 192.5.5.241.53: 43936 [1au] A6? pdns1.register.com. (47) (DF) 21:53:41.374299 64.124.43.174.60201 > 192.5.5.241.53: 20212 [1au] AAAA? pdns1.register.com. (47) (DF) 21:53:41.374424 64.124.43.174.60201 > 192.5.5.241.53: 59230 [1au] A? pdns1.register.com. (47) (DF)
register.com? We've seen them before. Let's check whois just to make sure:
> whois -a 64.124.43.173 Abovenet Communications, Inc ABOVENET (NET-64-124-0-0-1) 64.124.0.0 - 64.125.255.255 REGISTER.COM MFN-B580-64-124-43-160-28 (NET-64-124-43-160-1) 64.124.43.160 - 64.124.43.175 > whois -a NET-64-124-43-160-1 CustName: REGISTER.COM Address: 575 8'th Ave City: New York StateProv: NY PostalCode: 10018 Country: US RegDate: 2003-01-27 Updated: 2003-01-27 NetRange: 64.124.43.160 - 64.124.43.175 CIDR: 64.124.43.160/28 NetName: MFN-B580-64-124-43-160-28 NetHandle: NET-64-124-43-160-1 Parent: NET-64-124-0-0-1 NetType: Reassigned Comment: Abuse issues should be sent to rgardos@register.com,rroberto@register.com RegDate: 2003-01-27 Updated: 2003-01-27 TechHandle: NOC41-ORG-ARIN TechName: AboveNet NOC TechPhone: +1-877-479-7378 TechEmail: noc@above.net OrgAbuseHandle: ABOVE-ARIN OrgAbuseName: AboveNet Abuse OrgAbusePhone: +1-877-479-7378 OrgAbuseEmail: abuse@above.net OrgNOCHandle: NOC41-ORG-ARIN OrgNOCName: AboveNet NOC OrgNOCPhone: +1-877-479-7378 OrgNOCEmail: noc@above.net OrgTechHandle: ABOVE1-ARIN OrgTechName: AboveNet Engineering OrgTechPhone: +1-877-479-7378 OrgTechEmail: arin@above.net
Most of the contacts for this netblock are @above.net, but there is a helpful comment about sending abuse issues to addresses @register.com. I sent them a message:
To: rgardos@register.com, rroberto@register.com Subject: excessive DNS queries from 64.124.43.174 Message-ID: <20050307145137.A68614@life-gone-hazy.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Hi Register.com I do research on DNS root server traffic. Today one of your hosts, 64.124.43.174, is ranked #1 in queries sent to F-root. Can you tell me why it is sending these same queries over and over? ...
Didn't take too long to get a reply:
This is the mail server at host mail89-ash-R.bigfish.com. I wasn't able to deliver the message you sent to one or more destinations. <rgardos@register.com>: host smtpa.register.com[216.21.229.220] said: 550 unknown user (in reply to RCPT TO command) <rroberto@register.com>: host smtpa.register.com[216.21.229.220] said: 550 unknown user (in reply to RCPT TO command)
wow, shocking.
Let's see if we can find some other contact addresses.
> whois =register.com Domain Name: REGISTER.COM Registrar: REGISTER.COM, INC. Whois Server: whois.register.com Referral URL: http://www.register.com Name Server: DNS3.REGISTER.COM Name Server: DNS4.REGISTER.COM Name Server: DNS1.REGISTER.COM Name Server: DNS2.REGISTER.COM Status: REGISTRAR-LOCK Updated Date: 02-jul-2004 Creation Date: 01-nov-1994 Expiration Date: 04-aug-2009
Well, not much useful there. Maybe they have more info on their own whois server:
> whois -h whois.register.com register.com Administrative Contact, Technical Contact, Zone Contact: Register.Com, Inc. Domain Registrar 575 Eighth Avenue, 11th Floor New York, NY 10018 US Phone: 212-798-9200 Fax..: 212-629-9305 Email: domainregistrar@register.com Domain servers in listed order: DNS1.REGISTER.COM 216.21.234.71 DNS2.REGISTER.COM 216.21.226.71 DNS3.REGISTER.COM 216.21.234.72 DNS4.REGISTER.COM 216.21.226.72
domainregistrar@register.com feels like it will reach the wrong people, if anyone. Let's look for ARIN contacts in their main DNS server address space:
> whois -a 216.21.234.71 TechHandle: CK296-ARIN TechName: Kleban, Chris TechPhone: +1-212-798-9100 TechEmail: chris@register.com OrgAbuseHandle: CUSTO-ARIN OrgAbuseName: Customer Service OrgAbusePhone: +1-800-899-9724 OrgAbuseEmail: support@register.com OrgNOCHandle: NOC207-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-902-749-2488 OrgNOCEmail: ops@register.com OrgTechHandle: NETWO55-ARIN OrgTechName: Network Engineering OrgTechPhone: +1-212-798-9100 OrgTechEmail: neteng@register.com
ooh, these look more promising. However, chris@register.com also bounced, and I received no replies from their ops or neteng aliases. sigh.