Unusual dns lookup behaviour

Hi r/sysadmin,

I went to telnet into a mail server today to check something and accidentally misspelled the hostname. Much to my surprise, it resolved to an IP outside of my network.

I tested it a few more times with random hostnames that don't exist and was still getting back a variety of IPs. Very odd says I - arp poisoning? Has my resolv.conf been changed? Nope - more digging.

:~$ telnet serhuweq3werzx.com 25 Trying 46.19.33.219... :~$ host serhuweq3werzx.com serhuweq3werzx.com does not exist, try again 

tshark -f "udp port 53"

Running as user "root" and group "root". This could be dangerous. Capturing on eth0 0.000000 88.198.50.xxx -> 213.133.100.100 DNS Standard query AAAA serhuweq3werzx.com 0.002577 213.133.100.100 -> 88.198.50.xxx DNS Standard query response, No such name 0.002696 88.198.50.xxx -> 213.133.100.100 DNS Standard query AAAA serhuweq3werzx.com.net 0.005240 213.133.100.100 -> 88.198.50.xxx DNS Standard query response 0.005312 88.198.50.xxx -> 213.133.100.100 DNS Standard query A serhuweq3werzx.com 0.007851 213.133.100.100 -> 88.198.50.xxx DNS Standard query response, No such name 0.007909 88.198.50.xxx -> 213.133.100.100 DNS Standard query A serhuweq3werzx.com.net 0.010545 213.133.100.100 -> 88.198.50.xxx DNS Standard query response A 46.19.33.219 A 199.167.192.24 A 209.141.55.78 A 75.126.49.42 A 91.220.127.185 A 184.171.174.117 A 182.50.129.9 A 199.167.196.149 A 209.135.132.40 A 182.160.128.53 A 67.208.112.131 A 209.54.59.200 

^C8 packets captured

So it seems that telnet is looking for serhuweq3werzx.com - followed by checking serhuweq3werzx.com.net.

:~$ dig *.com.net +short 209.135.132.40 209.54.59.200 75.126.49.42 199.167.196.149 182.160.128.53 209.141.55.78 182.50.129.9 67.208.112.131 46.19.33.219 199.167.192.24 184.171.174.117 91.220.127.185 

And someone owns com.net and has it set to return a variety of IPs from all around the world (not all returned results; but)

:~$ for i in dig random456789123z.com.net +short; do whois $i | grep country;done

country: AU country: AU country: SG country: SG country: NL country: GB 

There's a few US hosts in there also from manual checks.

So here's my question - is this just telnet's behaviour, searching for .com.net or is this coming from somewhere else?

I would also have to wonder what the potential security implications are for someone owning that host and getting traffic that wasn't intended for it.. If it's just telnet then not as much of an issue I suppose.