Verisign abusing .COM/.NET - nothing new..

[Roelof Temmingh <roelof () sensepost com>]

Hi all,

Abusing a TLD is nothing new...it's just recently that Verisign has done
it with .com and .net. There are many other TLDs that are "sucked up".
Sub TLDs also get sucked in...I am not listing them all here. Hereby some
of the TLD A record suckers:

.cc  206.253.214.101
.sh  194.205.62.62
.cx  219.88.106.80
.td  146.101.245.154
.tm  194.205.62.42
.tv  65.201.175.144
.mp  202.128.12.163
.ws  216.35.187.246
.ph  203.119.4.6
.io  194.205.62.107

and now:

.com  64.94.110.11
.net  64.94.110.11

Also - the list change every day - don't ever hard code any of this -
rather look at the attached PERL script to do it in real time.

Furthermore - many TLD's MX records also get sucked in.

Attached is a PERL module that we have been using for a while within our
BigRed Security Assessment Console that will expand any number of
domains to all their TLDs. For instance, after running the PERL script on
sensepost.com it returns sensepost.co.za, sensepost.com and
sensepost.co.uk. It weeds out all the other A and MX "suckers". It works
99% - every now and again one or two template domains slips in (especially
where dynamic DNS is used, or entries are changed rapidly).

The PERL script works as a stand-alone script - you don't need to purchase
the BigRed framework to use it. Tested on FreeBSD - it called nslookup
externally - so maybe just look at the call itself if you are not getting
joy. Also - please set the nameserver. The default one in there should
work fine but could be a bit slow.

Enjoy,
Roelof.

=====================
Roelof Temmingh
roelof () sensepost com
+27 12 667 4737
GMT+2
=====================

Attachment: exp-tld2-public.pl
Description: