邮件服务器-邮件系统-邮件技术论坛(BBS) » Email 原理&网络协议 » 关于微软的DNS记录似乎不正确，莫非被黑客攻击了？？？

tonecho 发表于 2005-12-22 17:39

关于微软的DNS记录似乎不正确，莫非被黑客攻击了？？？

事情的经过是这样的：<br>
我用netstat看总是有到a61-200-81-150.deploy.akamaitechnologies.com 80端口的连接。用Active Ports看是msnmsgr.exe进程发起的连接。开始以为是MSN Messenger被病毒感染，用Norton Antivirus最新版杀毒，没有发现病毒。重新从微软的网站上重新下载MSN Messenger，安装后还是会出现到a61-200-81-150.deploy.akamaitechnologies.com的连接。<br>
a61-200-81-150.deploy.akamaitechnologies.com的IP地址是：61.200.81.150.<br>
在APNIC上查得此地址是日本的。<br>
inetnum: 61.200.0.0 - 61.215.255.255<br>
netname: JPNIC-NET-JP<br>
descr: Japan Network Information Center<br>
country: JP<br>
<br>
我们公司组建有自己的DNS服务器，解析本公司自己的域名，对于不能解析的使用转发器。在转发器中使用了四个DNS服务器地址：<br>
202.112.80.106　（北京师范大学DNS服务器）<br>
202.106.0.20　（北京网通DNS服务器）<br>
202.106.196.115　（北京网通DNS服务器）<br>
202.96.199.133　（北京的DNS服务器，具体归谁管不清楚）<br>
<br>
继续讲：<br>
我想既然它要连接61.200.81.150，那我就在防火墙上把这个IP地址的C段给它封了。可是在封了之后发觉search.microsoft.com无法访问。用nslookup查search.microsoft.com的A地址，得到结果如下：<br>
Non-authoritative answer:<br>
Name: a134.g.akamai.net<br>
Addresses: 61.200.81.150, 61.200.81.142<br>
Aliases: search.microsoft.com, search.microsoft.akadns.net<br>
search.msn.com.edgesuite.net<br>
<br>
而此前已经查得些地址不是微软的地址，于是开始怀疑我公司的DNS被修改了。检查之后没有发现问题。<br>
又在我公司DNS服务器上设置的四个转发址中查询得到结果如下：<br>
> search.microsoft.com<br>
Server: ns.bnu.edu.cn<br>
Address: 202.112.80.106<br>
<br>
Non-authoritative answer:<br>
Name: a134.g.akamai.net<br>
Addresses: 61.200.81.150, 61.200.81.142<br>
Aliases: search.microsoft.com, search.microsoft.akadns.net<br>
search.msn.com.edgesuite.net<br>
<br>
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－<br>
> search.microsoft.com<br>
Server: ns4.bta.net.cn<br>
Address: 202.106.0.20<br>
<br>
DNS request timed out.<br>
timeout was 2 seconds.<br>
Non-authoritative answer:<br>
Name: a134.g.akamai.net<br>
Addresses: 220.90.198.8, 220.90.198.9, 220.90.198.18, 220.90.198.19<br>
220.90.198.27, 220.90.198.34, 220.90.198.35, 220.90.198.41<br>
Aliases: search.microsoft.com, search.microsoft.akadns.net<br>
search.msn.com.edgesuite.net<br>
<br>
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－<br>
<br>
> search.microsoft.com<br>
Server: linedns.bta.net.cn<br>
Address: 202.106.196.115<br>
<br>
DNS request timed out.<br>
timeout was 2 seconds.<br>
Non-authoritative answer:<br>
Name: a134.g.akamai.net<br>
Addresses: 63.214.191.232, 63.214.191.230<br>
Aliases: search.microsoft.com, search.microsoft.akadns.net<br>
search.msn.com.edgesuite.net<br>
<br>
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－<br>
<br>
> search.microsoft.com<br>
Server: [202.96.199.133]<br>
Address: 202.96.199.133<br>
<br>
Non-authoritative answer:<br>
Name: a134.g.akamai.net<br>
Addresses: 202.232.140.21, 202.232.140.12<br>
Aliases: search.microsoft.com, search.microsoft.akadns.net<br>
search.msn.com.edgesuite.net<br>
<br>
61.200网段已经确认非微软所有，指向的是日本。<br>
<br>
下面是从另外三个DNS服务器上得到的IP地址的查询结果：<br>
inetnum: 61.200.0.0 - 61.215.255.255<br>
netname: JPNIC-NET-JP<br>
descr: Japan Network Information Center<br>
country: JP<br>
<br>
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－<br>
<br>
Level 3 Communications, Inc. LEVEL4-CIDR (NET-63-208-0-0-1) <br>
63.208.0.0 - 63.215.255.255<br>
Akamai Customer Care LVLT-ACC-221-63-214-191-224 (NET-63-214-191-224-1) <br>
63.214.191.224 - 63.214.191.255<br>
<br>
# ARIN WHOIS database, last updated 2005-12-21 19:10<br>
# Enter ? for additional hints on searching ARIN's WHOIS database.<br>
<br>
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－<br>
<br>
inetnum: 202.232.0.0 - 202.235.255.255<br>
netname: JPNIC-NET-JP<br>
descr: Japan Network Information Center<br>
country: JP<br>
<br>
从以上结果可以看出search.microsoft.com极可能被指向了错误的地址。一个网站不可能跨这么多的网段的。<br>
而从国外的一个网站www.dnsstuff.com上查得的www.microsoft.com的IP地是207网段的。用查得的IP地址是直接可以访问到微软的主页。而如果用search.microsoft.com查到的IP地址是不能访问search.microsoft.com的主页，而这个主页确实存在，我经常上去看。<br>
<br>
大家说是什么原因造成的？？？<br>
附：<br>
1、以下内容是从www.dnsstuff.com上查得的www.microsoft.com的地址。<br>
DNS Lookup: www.microsoft.com ALL record<br>
Generated by www.DNSstuff.com<br>
How I am searching:<br>
Searching for www.microsoft.com ALL record at i.root-servers.net [192.36.148.17]: Got referral to B.GTLD-SERVERS.NET. [took 120 ms]<br>
Searching for www.microsoft.com ALL record at B.GTLD-SERVERS.NET. [192.33.14.30]: Got referral to ns3.msft.net. [took 220 ms]<br>
Searching for www.microsoft.com ALL record at ns3.msft.net. [213.199.144.151]: Got CNAME of toggle.www.ms.akadns.net. and referral to m.root-servers.net [took 135 ms]<br>
Searching for toggle.www.ms.akadns.net ALL record at m.root-servers.net [202.12.27.33]: Got referral to B.GTLD-SERVERS.net. [took 199 ms]<br>
Searching for toggle.www.ms.akadns.net ALL record at B.GTLD-SERVERS.net. [192.33.14.30]: Got referral to asia4.akadns.net. [took 225 ms]<br>
Searching for toggle.www.ms.akadns.net ALL record at asia4.akadns.net. [61.213.147.96]: Got CNAME of g.www.ms.akadns.net. and referral to c.root-servers.net [took 233 ms]<br>
Searching for g.www.ms.akadns.net ALL record at c.root-servers.net [192.33.4.12]: Got referral to L.GTLD-SERVERS.net. [took 17 ms]<br>
Searching for g.www.ms.akadns.net ALL record at L.GTLD-SERVERS.net. [192.41.162.30]: Got referral to asia9.akadns.net. [took 18 ms]<br>
Searching for g.www.ms.akadns.net ALL record at asia9.akadns.net. [220.73.220.4]: Got CNAME of lb1.www.ms.akadns.net. and referral to j.root-servers.net [took 228 ms]<br>
Searching for lb1.www.ms.akadns.net ALL record at j.root-servers.net [192.58.128.30]: Got referral to D.GTLD-SERVERS.net. [took 119 ms]<br>
Searching for lb1.www.ms.akadns.net ALL record at D.GTLD-SERVERS.net. [192.31.80.30]: Got referral to use9.akadns.net. [took 37 ms]<br>
Searching for lb1.www.ms.akadns.net ALL record at use9.akadns.net. [81.52.250.134]: Reports lb1.www.ms.akadns.net. [took 15 ms]<br>
<br>
Answer:<br>
<br>
<br>
Domain Type Class TTL Answer lb1.www.ms.akadns.net. A IN 300 207.46.199.30 lb1.www.ms.akadns.net. A IN 300 207.46.18.30 lb1.www.ms.akadns.net. A IN 300 207.46.198.60 lb1.www.ms.akadns.net. A IN 300 207.46.19.30 lb1.www.ms.akadns.net. A IN 300 207.46.20.60 lb1.www.ms.akadns.net. A IN 300 207.46.19.60 lb1.www.ms.akadns.net. A IN 300 207.46.198.30 lb1.www.ms.akadns.net. A IN 300 207.46.20.30 <br>
<br>
NOTE: One or more CNAMEs were encountered. www.microsoft.com is really lb1.www.ms.akadns.net. [www.microsoft.com->toggle.www.ms.akadns.net->g.www.ms.akadns.net->lb1.www.ms.akadns.net]<br>
<br>
<br>
There is no need to refresh the page -- to see the DNS traversal, to make sure that all DNS servers are reporting<br>
the same results, you can Click Here.<br>
<br>
Note that these results are obtained in real-time, meaning that these are not cached results.<br>
These results are what DNS resolvers all over the world will see right now (unless they have cached information).<br>
<br>
<br>
<br>
2、下面是用www.dnsstuff.com上得到的微软的IP地址在ARIN上查得的结果<br>
<br>
OrgName: Microsoft Corp <br>
OrgID: MSFT<br>
Address: One Microsoft Way<br>
City: Redmond<br>
StateProv: WA<br>
PostalCode: 98052<br>
Country: US<br>
<br>
NetRange: 207.46.0.0 - 207.46.255.255 <br>
CIDR: 207.46.0.0/16 <br>
NetName: MICROSOFT-GLOBAL-NET<br>
NetHandle: NET-207-46-0-0-1<br>
Parent: NET-207-0-0-0-0<br>
NetType: Direct Assignment

钉子 发表于 2005-12-22 23:41

re:我记得有一些木马一样的程序会修改HOST...

我记得有一些木马一样的程序会修改HOSTS文件，你检查一下。

查看完整版本: 关于微软的DNS记录似乎不正确，莫非被黑客攻击了？？？