0

So I thought I understood DNS pretty well, but I'm stumped as to how someone could establish a subdomain on my domain that actually resolves.

A few key facts:

I run a personal site (call it myname.net) on a server at home. I use afraid.org as the dynamic DNS provider.

I got an email saying someone is running a phishing site, and provided the url (call it badguy.myname.net/stuff/)

When I type that url into my browser, it actually resolves and displays a Chinese bank impersonated site. However, it's not actually running on my server - the IP seems to be located in Hong Kong.

I checked out afraid.org and still only see two entries for my domain; www.myname.net and myname.net. I thought all DNS requests for my domain would resolve to my server, and then any subdomains would be worked out internally by me as the domain admin.

Can anyone shed some light on what I'm missing? I suspect I'm missing a DNS record or something, maybe *.myname.net as a catch-all to force all requests to me? Any input is appreciated.

solved - this issue has been discovered by others: https://serverfault.com/questions/427262/phishing-site-uses-subdomain-that-i-never-registered

4

1 回答 1

3

You (or more accurately, afraid.org) are the authoritative spot for your domain. So, yes, there should be nothing underneath you. If there is, then something is definitely afoot. We know it wasn't you, so that only leaves two possibilities:

1) Someone has managed to insert bad records into caches that point to that second domain. IE, the records have been inserted in places outside afraid.org's control. This is typically non-trivial to do, especially to have them inserted in many places, but is possible.

2) Someone has inserted the records inside the area that afraid.org is supposed to control. Just because the web interface is showing you only two records doesn't mean that afraid.org is showing you all the data. It could be that afraid.org themselves are some form of evil and doing it intentionally, or that someone has hacked your account or something else in afraid.org. It's nearly impossible to tell exactly what happened and you should really contact afraid.org and ask them what's going on.

From a figuring-it-out-yourself point of view, if you can get access to a unix machine (or a mac; pretty much anything but windows) the following command will probably run in a terminal (you can get it to run on windows too, but you'd have to install things):

# dig +trace badguy.myname.net

Without that output, it'd be hard to tell you exactly what's going on.

于 2013-08-09T13:57:58.787 回答