2
0
I've just noticed some very strange and concerning results when I attempted to do an nslookup for a one of my domain names from one of my hosted virtual servers.
The domain [mydomain].info is resolving as [mydomain].info.com.au and listing 4 IP's that I don't use.
This only happens on one server, and only for this domain and sub-domains (from the testing I've done) .
Things I've tried...
1) "ipconfig /flushdns". No effect.
2) Checked hosts file. Nothing suspicious.
3) I've checked the registry for entries related to the DNSChanger virus, but I can't see anything suspicious.
4) Changed the DNS server for the connected interface. nslookup shows the new DNS server, but the results are the same.
5) Scanned the dnslookup.exe for virus's, but nothing appears. Also if I run a query using this executable from another computer, the results are correct.
I don't know if this means my server is actually compromised, or if possibly my hosting provider is doing something dodgy with outbound dns lookups.
The server is Windows Server 2012
Other than this dns issue the server is working perfectly. I haven't observed any other strange behaviour.
If anyone has any suggestions they would be greatly appreciated. This is a live, production server, hosting a number of client websites, so this is stressing me out quite a bit.
Here is the output, as requested. My apologies, I would prefer to not show the actual domain name, as it is personally identifiable. However I have verified that the domain records are correct.
PS C:\scripts> nslookup [mydomain].info
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name: [mydomain].info.com.au
Addresses: 52.3.124.67
52.201.189.141
54.85.85.70
52.5.111.221
PS C:\scripts>
After some more investigation, it appears it is not just my domain. It happens with any .info domain. I've included the nslookup results with debug turned on...
> somedomain123123.info
Server: google-public-dns-a.google.com
Address: 8.8.8.8
------------
Got answer:
HEADER:
opcode = QUERY, id = 74, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
somedomain123123.info.hosting24.com.au, type = A, class = IN
AUTHORITY RECORDS:
-> hosting24.com.au
ttl = 1799 (29 mins 59 secs)
primary name server = ns1.web24.net.au
responsible mail addr = dns.web24.net.au
serial = 2016060205
refresh = 7200 (2 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 75, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
somedomain123123.info.hosting24.com.au, type = AAAA, class = IN
AUTHORITY RECORDS:
-> hosting24.com.au
ttl = 1799 (29 mins 59 secs)
primary name server = ns1.web24.net.au
responsible mail addr = dns.web24.net.au
serial = 2016060205
refresh = 7200 (2 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 76, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 4, authority records = 0, additional = 0
QUESTIONS:
somedomain123123.info.com.au, type = A, class = IN
ANSWERS:
-> somedomain123123.info.com.au
internet address = 52.5.111.221
ttl = 59 (59 secs)
-> somedomain123123.info.com.au
internet address = 52.201.189.141
ttl = 59 (59 secs)
-> somedomain123123.info.com.au
internet address = 52.3.124.67
ttl = 59 (59 secs)
-> somedomain123123.info.com.au
internet address = 54.85.85.70
ttl = 59 (59 secs)
------------
Non-authoritative answer:
------------
Got answer:
HEADER:
opcode = QUERY, id = 77, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
somedomain123123.info.com.au, type = AAAA, class = IN
AUTHORITY RECORDS:
-> info.com.au
ttl = 899 (14 mins 59 secs)
primary name server = ns1.info.com.ru
responsible mail addr = hostmaster.info.com
serial = 2016052612
refresh = 7200 (2 hours)
retry = 900 (15 mins)
expire = 1209600 (14 days)
default TTL = 86400 (1 day)
------------
Name: somedomain123123.info.com.au
Addresses: 52.5.111.221
52.201.189.141
52.3.124.67
54.85.85.70
My hosting provider is web24.com.au, which is presumably where the hosting24.com.au comes from.
1You do too many assumptions for the minimal amount of useful information. Show us the actual output of your DNS lookup and ideally your domain name so that we can verify it for you. – Julie Pelletier – 2016-06-02T05:34:40.640
Note that you should test the DNS resolution on a different connection and computer to double check the results you receive. – Julie Pelletier – 2016-06-02T05:35:57.133
And of course the actual domain name is secret so nobody else can test this for themselves. – user1686 – 2016-06-02T05:39:33.870
@JuliePelletier Yes I've done that. The domain records are all correct. – user1751825 – 2016-06-02T05:42:35.503
@grawity I'm certain the problem isn't with the domain records themselves. I've done the query from a number of other computers, and the result are all correct. – user1751825 – 2016-06-02T05:47:14.527
Then stop worrying about your domain and clients and clean your computer. – Julie Pelletier – 2016-06-02T05:49:40.257
Thanks @JuliePelletier It turns out the server is perfectly fine, so not in need of cleaning. – user1751825 – 2016-06-02T07:03:56.680
What if you do
nslookup mydomain.info.
with an extra dot at the end? – user253751 – 2016-06-02T07:10:49.980@user20574 Adding the dot at the end makes it resolve properly. – user1751825 – 2016-06-02T09:57:15.383