Protecting end users starts with understanding their use and integration of services. For authoritative DNS, this includes human error when copying and pasting information between interfaces. After purchasing a new domain, such as “containercult.com,” the end user configures authoritative nameservers. Delegation is a “set it and forget it” operation; it is often made outside of scope of continuous integration pipelines and automated deployment systems. To quantify this risk and reconcile it with reality, we started to look at the existence of nameserver record typos in the .COM zone file.
There are typos in nameserver records for a number of authoritative DNS providers made across a number of zones, making it clear that end users make delegation typos. The existence of the typo is one thing, it’s another when the typo has been registered and another provider is serving responses. One of the typos of interest was dynect.ne, which was registered some time in February of 2016. At that time, it was delegated to a pair of authoritative nameservers operated by myhostadmin.net, a name related to a Chinese hosting provider. Sometime around January 2017, the authoritative nameservers changed over to Yandex, the Russian internet services provider, and the domain began resolving to 18.104.22.168. Using the IP address 22.214.171.124 as a pivot point, we were able to identify thousands of domain names, all of which shared the IP.
After verifying that the domain name had been registered, we wanted to understand how it was being used. One way to do this is to review passive DNS, a collection of timestamped observations of a domain name and its value at that given point in time. The initial results were troubling, passive DNS showed that in January of 2017 typos of a number of business critical domains were resolving to IP space ( 126.96.36.199 ) of a VPS provider, FDCservers.net. The typo domains being resolved included our authoritative nameservers, for example: ns1.p06.dynect.ne and domains used as part of our email platform, additionally, link.email.dynect.ne. There were a number of observations of these resolutions in the passive DNS results, which seemed to indicate that someone or something was requesting resolution of these typos consistently.
Things looked suspicious. The domain dynect.ne was resolving to one provider and business critical sub-domains were resolving to another. This initiated some active examination of the infrastructure supporting the domain. The first set of testing showed that the owner of the domain had configured a wildcard to match any requested subdomain of dynect.ne. A wildcard will return the same resource records for any permutation that matches *.dynect.ne, making any and all subdomains valid requests. An end user requesting email.dynect.ne will get the same response as someone requesting this-is-a-wildcard.dynect.ne. Finding the wildcard helped clarify why we were seeing so many resolutions in passive DNS. Whenever an end user requested a domain with a nameserver delegation typo, the nameserver would return the wildcard for what was requested, generating observations of the typo with its business critical subdomain.
If you visit dynect.ne with a web browser, you will see the webpage above served from 188.8.131.52, an IP owned by Team Internet AG. Their website, TeamInternet.com, explains that they are “a leading provider of services in the direct navigation search market.” The Team Internet entity is tied to an advertising marketplace, Tonic, and domain monetization business, ParkingCrew. After reading through the details of the various business functions on ParkingCrew.com and Tonic.com, it appeared that the nameserver typo domains were being used in a way which matched the “Domain Traffic” ad type. Explained on the Tonic page (https://tonic.com/adtypes) as:
“Domain traffic is also referred to as zero-click traffic, redirect traffic or direct navigation traffic. It all means the same: A user types in a domain name that is parked with a domain parking company like ParkingCrew.com and instead of PPC ads (usually from Google or Yahoo) the user gets instantly redirectet [sic] to the advertiser landing page. You can see an example of this by typing bodybuilding.info in your browser bar. You will get redirected to one of our advertisers, who is interested in bodybuilding traffic. This adtype brings the best conversions for advertisers.”
Our next step was to reach out to the operators of .NE, the ccTLD of Niger, to get details on their domain usage policies. One issue that came up immediately was trying to contact the ccTLD, as http://www.intnet.ne/ was returning a PHP version page and http://www.nic.ne/ didn’t resolve correctly. The next stop was to go to IANA and look at the WhoIS contacts. This provided two contacts with @sonitel.ne email addresses. We drafted up some details about the number of authoritative nameserver typos involved and sent over a note. Then a few days later:
Final-Recipient: rfc822; @sonitel.ne
Diagnostic-Code: smtp; The recipient server did not accept our requests to connect. [intranet.sonitel.ne. 184.108.40.206: timed out]
Meanwhile, since March 11, 2017, subdomains have started to resolve to an IP belonging to Intergenia (220.127.116.11), a different infrastructure provider, part of Host Europe since acquisition in December of 2014. Thanks to some help from the tightly knit DNS Operator & ICANN community, we were able to find updated contact information for the .NE ccTLD. It appears they switched namespace and now operate using email addresses in the nigertelecoms.ne rather than sonitel.ne. We are currently waiting to hear back from them to see if .ne is willing to follow the ICANN Uniform Domain-Name Dispute-Resolution Policy (UDRP).
Domain traffic monetization has been a staple internet ad business for years. Those who have been in the DNS/internet operator game for a while will most likely remember in August of 2006 when Cameroon (.cm) wildcarded their ccTLD for advertizing purposes. There are a couple lessons to be learned from this exercise. When configuring authoritative nameservers, always check twice for typos. When researching use of domain names with passive DNS, it’s important to keep things in context. When you’re done reading maybe go take a look at Oman (.om) and Ethiopia (.et) to make sure your bases are covered.
About the Author
Chris is a Principal Data Analyst Dyn, a cloud-based Internet Performance company that helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. Follow Dyn on Twitter: @Dyn.More Content by Chris Baker