nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Help with removing DNS shinkhole FP from Charter/Spectrum

From: Validin Axon <axon () validin com>
Date: Sun, 21 Apr 2024 21:21:48 -0400
Looking for some help/advice. Spectrum is sinkholing my company's domain,
validin[.]com, to 127.0.0.54. The sinkhole responses come from their
recursive DNS servers, 209.18.47.61 and 209.18.47.62, which are defaults
for and in use by many of their customers and are only reachable from
within the Spectrum network. I've had 4 people over the last week (think:
customers, prospects, etc) who use Charter/Spectrum tell me that they have
difficulty accessing my website as a result of this sinkhole behavior. This
behavior is causing reputational harm to my company.

I've personally confirmed this behavior from the Spectrum network (I am
also a customer) using dig to test their DNS servers:
```
$ dig +short @209.18.47.61 validin.com
127.0.0.54
$ dig +short @209.18.47.62 validin.com
127.0.0.54
```
 Using Cloudflare/Google/etc works correctly:
```
$ dig +short @1.1.1.1 validin.com
137.184.54.107
157.245.112.183
$ dig +short @8.8.8.8 validin.com
157.245.112.183
137.184.54.107
```

I suspect my domain was blocklisted last year when a threat researcher
included my domain name in a blog post about a threat they were
investigating and cited my company as the source for their data. Someone
scraped that post, and my company's domain was accidentally added to
two Alient Vault OTX pulses and at least one collection on Virus Total. I
removed the domain via false positive reporting from everything I could.
However, it appears that being added to Spectrum's DNS sinkhole list is
effectively permanent and there's no clear path for false positive
remediation.

I've tried the official Spectrum support lines for months to no avail, and
recently tried reaching out on Twitter, but have had no success there
either. I'm clearly not able to find the right people through these routes,
as none of the people I reach understand the difference between a DNS
sinkhole and an IP block list and don't appear to be aware that DNS
blocklisting is a separate behavior from their opt-in content filtering via
Security Shield.

So, if someone could please help me find the team or individual responsible
for Spectrum's DNS sinkhole behavior, I would be exceptionally grateful. :-)

As I mentioned, this is causing reputation harm, so switching my own DNS
servers is not sufficient. People who need to reach me, can't. So, I would
appreciate any other help or advice you have,

Kenneth
Previous By Date Next
Previous By Thread Next

Current thread: