Re: [public-dns-discuss] Windows Update poisoned?

2,377 views

Skip to first unread message

Yunhong Gu

unread,

Jul 24, 2012, 12:11:10 PM7/24/12

to public-dn...@googlegroups.com

There are four authorative name servers for "download.windowsupdate.com";

nsatc.net. 172800 IN NS us-ga-1.ns.nsatc.net.

nsatc.net. 172800 IN NS a.ns.nsatc.net.

nsatc.net. 172800 IN NS c.ns.nsatc.net.

nsatc.net. 172800 IN NS us-va-2.ns.nsatc.net.

They are probably doing load balancing by returning different results on nsatc.net and footprint.net. The results are random (see below) and both should be valid. It is possible that there is connectivity issue between your machines and the footprint download server.

dig +norec download.windowsupdate.nsatc.net @us-va-2.ns.nsatc.net

; <<>> DiG 9.7.0-P1 <<>> +norec download.windowsupdate.nsatc.net @us-va-2.ns.nsatc.net

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40286

;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:

;download.windowsupdate.nsatc.net. IN A

;; ANSWER SECTION:

download.windowsupdate.nsatc.net. 600 IN CNAME download.windowsupdate.com.fp.nsatc.net.

download.windowsupdate.com.fp.nsatc.net. 3600 IN CNAME download.windowsupdate.com.c.footprint.net.

;; AUTHORITY SECTION:

nsatc.net. 172800 IN NS us-ga-1.ns.nsatc.net.

nsatc.net. 172800 IN NS a.ns.nsatc.net.

nsatc.net. 172800 IN NS c.ns.nsatc.net.

nsatc.net. 172800 IN NS us-va-2.ns.nsatc.net.

;; ADDITIONAL SECTION:

us-ga-1.ns.nsatc.net. 172800 IN A 204.160.105.51

a.ns.nsatc.net. 172800 IN A 199.93.44.45

c.ns.nsatc.net. 172800 IN A 4.23.51.51

us-va-2.ns.nsatc.net. 172800 IN A 4.23.46.45

;; Query time: 7 msec

;; SERVER: 4.23.46.45#53(4.23.46.45)

;; WHEN: Tue Jul 24 12:04:01 2012

;; MSG SIZE rcvd: 290

dig +norec download.windowsupdate.nsatc.net @c.ns.nsatc.net.

; <<>> DiG 9.7.0-P1 <<>> +norec download.windowsupdate.nsatc.net @c.ns.nsatc.net.

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5585

;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:

;download.windowsupdate.nsatc.net. IN A

;; ANSWER SECTION:

download.windowsupdate.nsatc.net. 600 IN CNAME main.dl.wu.akadns.net.

;; AUTHORITY SECTION:

nsatc.net. 172800 IN NS us-ga-1.ns.nsatc.net.

nsatc.net. 172800 IN NS a.ns.nsatc.net.

nsatc.net. 172800 IN NS c.ns.nsatc.net.

nsatc.net. 172800 IN NS us-va-2.ns.nsatc.net.

;; ADDITIONAL SECTION:

us-ga-1.ns.nsatc.net. 172800 IN A 204.160.105.51

a.ns.nsatc.net. 172800 IN A 199.93.44.45

c.ns.nsatc.net. 172800 IN A 4.23.51.51

us-va-2.ns.nsatc.net. 172800 IN A 4.23.46.45

;; Query time: 1 msec

;; SERVER: 4.23.51.51#53(4.23.51.51)

;; WHEN: Tue Jul 24 12:02:26 2012

;; MSG SIZE rcvd: 225

On Tue, Jul 24, 2012 at 10:55 AM, <lsilv...@chargeanywhere.com> wrote:

We were using Google DNS server 8.8.8.8 until early today. We noticed Windows Updates was throwing Error Code 8024402C. Changing our DNS forwarding to go to 4.2.2.2 fixed our issue.

Virus/Malware scan came back clean on servers/machines. I did a nslookup for windowsupdate.microsoft.com and download.windowsupdate.com to 8.8.8.8 and 4.2.2.2, here is the result:

C:\Users\xxxxx>nslookup windowsupdate.microsoft.com 8.8.8.8
Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:
Name: www.update.microsoft.com.nsatc.net
Address: 65.54.51.180

Aliases: windowsupdate.microsoft.com
windowsupdate.microsoft.nsatc.net

C:\Users\xxxxx>nslookup windowsupdate.microsoft.com 4.2.2.2
Server: b.resolvers.Level3.net

Address: 4.2.2.2

Non-authoritative answer:
Name: www.update.microsoft.com.nsatc.net
Address: 65.55.184.152

Aliases: windowsupdate.microsoft.com
windowsupdate.microsoft.nsatc.net

C:\Users\xxxxx>nslookup download.windowsupdate.com 8.8.8.8
Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:
Name: download.windowsupdate.com.c.footprint.net

Addresses: 4.27.12.253
4.27.10.125
8.26.207.126
Aliases: download.windowsupdate.com
download.windowsupdate.nsatc.net

download.windowsupdate.com.fp.nsatc.net

C:\Users\xxxxx>nslookup download.windowsupdate.com 4.2.2.2

Server: b.resolvers.Level3.net
Address: 4.2.2.2

DNS request timed out.
timeout was 2 seconds.
*** Request to b.resolvers.Level3.net timed-out

C:\Users\xxxxx>nslookup download.windowsupdate.com 4.2.2.2
Server: b.resolvers.Level3.net

Address: 4.2.2.2

Non-authoritative answer:
DNS request timed out.
timeout was 2 seconds.
Name: download.windowsupdate.com.c.footprint.net

Addresses: 8.12.215.253
192.221.114.126
209.84.14.126
Aliases: download.windowsupdate.com

download.windowsupdate.nsatc.net
download.windowsupdate.com.fp.nsatc.net

I know that Microsoft uses a bunch of load balancing services so seeing domains like nsatc.net and footprint.net is normal, but the IP's are obviously different. Maybe Google DNS was poisoned?

Thanks

--
========================================================
You received this message because you are subscribed to the Google
Groups "public-dns-discuss" group.
To post to this group, send email to public-dn...@googlegroups.com
To unsubscribe from this group, send email to
public-dns-disc...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/public-dns-discuss?hl=en
For more information on Google Public DNS, please visit
http://code.google.com/speed/public-dns
========================================================

Reply all

Reply to author

Forward

0 new messages