LinuxQuestions.org - Two server same DNS but different results

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Two server same DNS but different results (https://www.linuxquestions.org/questions/linux-security-4/two-server-same-dns-but-different-results-4175504891/)

Two server same DNS but different results

Hi,

I have 2 servers, one of them seems hacked, which I noticed when I query the same DNS server I get different response. They both have same /etc/resolve files and query the same server, could someone please help me find out which files effect DNS? why am I getting different results on two server when I query the same DNS server of my ISP? I've restarted nscd daemon but still I'm getting the same thing.

Thanks in advance.

Quote:

Originally Posted by ilnli (Post 5170283)

I have 2 servers, one of them seems hacked, which I noticed when I query the same DNS server I get different response. They both have same /etc/resolve files and query the same server, could someone please help me find out which files effect DNS? why am I getting different results on two server when I query the same DNS server of my ISP? I've restarted nscd daemon but still I'm getting the same thing.

If a server is perceived compromised the you investigate the whole of the server (with the intent of verifying its integrity), not one single aspect like domain name resolution (with the intent of "fixing" things). Do you know where to start or do you need help with that?

Hi unSpawn,

Thanks for you response.

So I've checked all the log files, and cannot find any traces.

Basically on this server if I query MX record manually, I get these answers:

Code:

 nslookup -query=mx  smtp.ultrahosting.com

Server:        69.10.224.41

Address:        69.10.224.41#53



Non-authoritative answer:

*** Can't find smtp.ultrahosting.com: No answer



Authoritative answers can be found from:

ultrahosting.com

        origin = ns10.onx.com

        mail addr = aspdnstech.onx.com

        serial = 2014041700

        refresh = 10800

        retry = 3600

        expire = 604800

        minimum = 3600

and if I use sendmail to query the MX, then I get a response:

Code:

# /usr/lib/sendmail -bt -v

ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)

Enter <ruleset> <address>

> /mx smtp.ultrahosting.com

getmxrr(smtp.ultrahosting.com) returns 1 value(s):

        mx.b-io.co.

I've checked /etc/resolv file and that has the DNS IPs of my ISP and also the host file which seems intact. I cannot understand how can sendmail manage to resolve MX IP while nslookup can't.

To track it further down, I did use tcpdump and seems like when sendmail queries, it does send packages to the DNS server and does get a response.

Code:

# tcpdump  -r myfile | grep  'b-io'

reading from file myfile, link-type EN10MB (Ethernet)

22:31:47.267545 IP dns1.ultrahosting.com.domain > myserver.46673:  53517 1/4/4 MX mx.b-io.co. 10 (270) <======= Response

The MX for domain "ultrahosting.com" is listed not as "smtp.ultrahosting.com" but as "smtp.onx.com".
However Google DNS and ROBTEX both resolve (and back) "smtp.ultrahosting.com" to IPv4 66.240.144.254.
See if you can use that if you have added that mapping to your /etc/hosts file?

*I notice you have posted https://www.linuxquestions.org/quest...5/#post5170309 so apparently you know full well your provider doesn't have a MX record for its own advertised email relay server. We don't need duplicate questions so please don't post duplicate threads.