On 6/3/09, Emanuele Balla skull@spin.it wrote:
Any idea about why this happens only with older rbldnsd versions?
They may produce slightly different results by default. For example, future versions of rbldnsds may have long answers turned off by default. Or it may not be an issue.
I'd expect this to happen based only on geographic location of the SURBL mirror (does the query pass through the great firewall or not?), not on the software version...
Couldn't be "they" just "improved" the DNS hijacking stuff in order to have replies to subdomain queries (flickr.com.multi.surbl.org) managed the same way of 2nd level queries (flickr.com), in oder to -say- block mirrors and proxies too, so we're observing this issue just now?
The paper talks about DNS modification based on substring matching. That was in 2007. Not sure why it would start applying now. Could be proxies, or maybe someone is trying to bypass China's DNS firewall by offering a DNS service like:
twitter.com.bypassthegreatwall.com
which resolves to the real IP for twitter.com
Jeff C.