On 3-06-2009 10:46, SURBL Role wrote:
David Funk posted a message about a stale configuration causing bogus responses. On the surface, that may explain the behavior. However, it does not explain the malformed packets. We could theorize that the incorrect results are due to some corruption (broken nameserver, etc.). Based on other rough tests I conducted, I don't think so.
The specific IPs being returned correspond exactly to the paper:
flickr.com.multi.surbl.org has address 202.106.1.2 flickr.com.multi.surbl.org has address 209.145.54.50
Which suggests deliberate DNS distortion, as opposed to a misconfiguration.
rbldnsd version 0.996a should be fine.
Any idea about why this happens only with older rbldnsd versions?
I'd expect this to happen based only on geographic location of the SURBL mirror (does the query pass through the great firewall or not?), not on the software version...
Couldn't be "they" just "improved" the DNS hijacking stuff in order to have replies to subdomain queries (flickr.com.multi.surbl.org) managed the same way of 2nd level queries (flickr.com), in oder to -say- block mirrors and proxies too, so we're observing this issue just now?