When Someone Points Their DNS at Your Site

NetworkNerd

Here's something interesting. A couple of days ago I logged into Wordpress only to have Jetpack get confused about whether there were multiple copies of the site on the public internet (asked me if my DNS records had changed, mentioning the domain epelican.projectstatus.in). At first I thought someone had hacked me and mirrored my content elsewhere, but that was not the case. After some research and ruling out the possibility of a hack, it turns out someone bought a domain in India and pointed an A-record for that domain at the public ip of my site.

Why would someone do this? Has this ever happened to you?

scottalanmiller

Maybe they want their domain to look like it has content or something.

scottalanmiller

Maybe they had that A record before you had that IP address?

NetworkNerd

@scottalanmiller said in When Someone Points Their DNS at Your Site:

Maybe they had that A record before you had that IP address?

I guess that's possible, but I thought it odd that Jetpack only picked up on this earlier this week. I've had the ip since May. I wish there was a way to see when an A-record was first published, but I don't think you can.

scottalanmiller

@networknerd said in When Someone Points Their DNS at Your Site:

@scottalanmiller said in When Someone Points Their DNS at Your Site:

Maybe they had that A record before you had that IP address?

I guess that's possible, but I thought it odd that Jetpack only picked up on this earlier this week. I've had the ip since May. I wish there was a way to see when an A-record was first published, but I don't think you can.

How would JetPack see it? They'd have to be out there scouring DNS records, which is pretty hard to do.

NetworkNerd

@scottalanmiller said in When Someone Points Their DNS at Your Site:

@networknerd said in When Someone Points Their DNS at Your Site:

@scottalanmiller said in When Someone Points Their DNS at Your Site:

Maybe they had that A record before you had that IP address?

I guess that's possible, but I thought it odd that Jetpack only picked up on this earlier this week. I've had the ip since May. I wish there was a way to see when an A-record was first published, but I don't think you can.

How would JetPack see it? They'd have to be out there scouring DNS records, which is pretty hard to do.

JetPack alerts you if multiple DNS records are pointed at your site because it gets confused about what statistics it needs to collect in conjunction with the hook into Wordpress.com (i.e. when traffic enters from one DNS record verses another DNS record).

scottalanmiller

@networknerd said in When Someone Points Their DNS at Your Site:

@scottalanmiller said in When Someone Points Their DNS at Your Site:

@networknerd said in When Someone Points Their DNS at Your Site:

@scottalanmiller said in When Someone Points Their DNS at Your Site:

Maybe they had that A record before you had that IP address?

I guess that's possible, but I thought it odd that Jetpack only picked up on this earlier this week. I've had the ip since May. I wish there was a way to see when an A-record was first published, but I don't think you can.

How would JetPack see it? They'd have to be out there scouring DNS records, which is pretty hard to do.

JetPack alerts you if multiple DNS records are pointed at your site because it gets confused about what statistics it needs to collect in conjunction with the hook into Wordpress.com (i.e. when traffic enters from one DNS record verses another DNS record).

Yes, but that doesn't answer the question of how would it even know?

Dashrender

@scottalanmiller said in When Someone Points Their DNS at Your Site:

@networknerd said in When Someone Points Their DNS at Your Site:

@scottalanmiller said in When Someone Points Their DNS at Your Site:

@networknerd said in When Someone Points Their DNS at Your Site:

@scottalanmiller said in When Someone Points Their DNS at Your Site:

Maybe they had that A record before you had that IP address?

I guess that's possible, but I thought it odd that Jetpack only picked up on this earlier this week. I've had the ip since May. I wish there was a way to see when an A-record was first published, but I don't think you can.

How would JetPack see it? They'd have to be out there scouring DNS records, which is pretty hard to do.

JetPack alerts you if multiple DNS records are pointed at your site because it gets confused about what statistics it needs to collect in conjunction with the hook into Wordpress.com (i.e. when traffic enters from one DNS record verses another DNS record).

Yes, but that doesn't answer the question of how would it even know?

OK I wasn't going to post my question - but considering this ^

I would assume JetPack only knows because someone tried visiting the URL and that DNS server sent them to you. So the DNS server could have bad records for years, but if no one ever visited the URL, your server would never know it. Right?

scottalanmiller

@dashrender said in When Someone Points Their DNS at Your Site:

@scottalanmiller said in When Someone Points Their DNS at Your Site:

@networknerd said in When Someone Points Their DNS at Your Site:

@scottalanmiller said in When Someone Points Their DNS at Your Site:

@networknerd said in When Someone Points Their DNS at Your Site:

@scottalanmiller said in When Someone Points Their DNS at Your Site:

Maybe they had that A record before you had that IP address?

I guess that's possible, but I thought it odd that Jetpack only picked up on this earlier this week. I've had the ip since May. I wish there was a way to see when an A-record was first published, but I don't think you can.

How would JetPack see it? They'd have to be out there scouring DNS records, which is pretty hard to do.

JetPack alerts you if multiple DNS records are pointed at your site because it gets confused about what statistics it needs to collect in conjunction with the hook into Wordpress.com (i.e. when traffic enters from one DNS record verses another DNS record).

Yes, but that doesn't answer the question of how would it even know?

OK I wasn't going to post my question - but considering this ^

I would assume JetPack only knows because someone tried visiting the URL and that DNS server sent them to you. So the DNS server could have bad records for years, but if no one ever visited the URL, your server would never know it. Right?

Right, exactly. Harvesting DNS isn't really a thing and not really possible. You can find www records easily by guessing at this. But this wasn't that, it was an obscure host name. Effectively impossible for JetPack to see unless it was in use and JP was looking at your host header logs.

NetworkNerd

@scottalanmiller said in When Someone Points Their DNS at Your Site:

@dashrender said in When Someone Points Their DNS at Your Site:

@scottalanmiller said in When Someone Points Their DNS at Your Site:

@networknerd said in When Someone Points Their DNS at Your Site:

@scottalanmiller said in When Someone Points Their DNS at Your Site:

@networknerd said in When Someone Points Their DNS at Your Site:

@scottalanmiller said in When Someone Points Their DNS at Your Site:

Maybe they had that A record before you had that IP address?

I guess that's possible, but I thought it odd that Jetpack only picked up on this earlier this week. I've had the ip since May. I wish there was a way to see when an A-record was first published, but I don't think you can.

How would JetPack see it? They'd have to be out there scouring DNS records, which is pretty hard to do.

JetPack alerts you if multiple DNS records are pointed at your site because it gets confused about what statistics it needs to collect in conjunction with the hook into Wordpress.com (i.e. when traffic enters from one DNS record verses another DNS record).

Yes, but that doesn't answer the question of how would it even know?

OK I wasn't going to post my question - but considering this ^

I would assume JetPack only knows because someone tried visiting the URL and that DNS server sent them to you. So the DNS server could have bad records for years, but if no one ever visited the URL, your server would never know it. Right?

Right, exactly. Harvesting DNS isn't really a thing and not really possible. You can find www records easily by guessing at this. But this wasn't that, it was an obscure host name. Effectively impossible for JetPack to see unless it was in use and JP was looking at your host header logs.

Ok, now it makes sense. So maybe you were correct about that DNS record being in place before I even got the ip.

Thanks to both of you for helping me understand this better.

scottalanmiller

Could still be weird. But could be benign, too.

NetworkNerd

@scottalanmiller said in When Someone Points Their DNS at Your Site:

Could still be weird. But could be benign, too.

Or it could be the NSA.

scottalanmiller

@networknerd said in When Someone Points Their DNS at Your Site:

@scottalanmiller said in When Someone Points Their DNS at Your Site:

Could still be weird. But could be benign, too.

Or it could be the NSA.

Dun dun daaaaaaaaaaaaaaaaaaaa................

Dashrender

@networknerd said in When Someone Points Their DNS at Your Site:

@scottalanmiller said in When Someone Points Their DNS at Your Site:

Could still be weird. But could be benign, too.

Or it could be the NSA.

All your websites are belong to NSA.