DNS Mistakes (Part 2): Lots of Typos

This part two of mistakes seen in DNS shares many more common problems, often caused by typos, copy-and-paste issues, or misunderstandings for what is allowed in DNS. What is the software, quality assurance, or auditing that allows these? The part one was about missing or mistakenly added trailing dots. (I have automated DNS and DNSSEC research for years. As far as we know, we run the most extensive DNS test suite.) This article shares several examples to consider when reviewing your own DNS configurations.

Number in brackets included in the target MX hostname, and IP addresses used for MX "hostnames."
mwananchi.co.tz.        120     IN      MX      0 [5]mail2.mwananchi.co.tz.
mwananchi.co.tz.        120     IN      MX      5 217.29.131.234.
mwananchi.co.tz.        120     IN      MX      10 217.29.131.234.
2020-07-15 08:30:44
Literal spaces (Ascii \032) with parentheses and priority word and number. Assume copy and paste from instructions?
psydro.com.             300     IN      MX      1 aspmx.l.google.com\032\(priority:\0321\).

sample-cube.com.        299     IN      MX      1 smtp.secureserver.net\032\(priority:\0320\).
2020-07-10 07:16:44
2020-07-14 02:55:47
Verification keys are supposed to be in TXT records, not MX. Also a copy and paste included literal quotes.
araby.games.            3600    IN      MX      15 \"ydgave4awwq2x6gvrr67gadew3ujbq3ez3dht6cp34ymxpvp6akq.mx-verification.google.com.\".

beanhunters.com.        3600    IN      MX      15 2432ozecefk76ik4ibx42n6bqbixop7yght5q3hswjlxy6xohcfq.mx-verification.google.com.

genistabio.com.         600     IN      MX      15 6e7k3mn3er5edbayx7xgj7ztnhm2bvm23t6735sw5e32cslwuawa.
mx-verification.GOOGLE.com.

2020-07-14 00:26:30
2020-07-10 10:01:56
2020-07-09 23:31:18
SPF TXT records inserted into MX targets and turned into hostnames.
siirt.edu.tr.           3600    IN      MX      10 v=spf1\032include:_spf.google.com\032~all.

portalcarapicuiba.com.br. 300   IN      MX      0 v=spf1\032ip4:54.39.159.133\032ip6:2607:5300:203:4985::\032include:spf.canada.ind.br\032+a\032+mx\032~all.

ndls.ie.                299     IN      MX      1 v=spf1\032include:spf.protection.outlook.com\032-all.

filmesonlinehdgratis.com.br. 299 IN     MX      14400 \"v=spf1\032include:spf.mx.hostinger.com\032include:relay.mailchannels.net\032~all\".

2020-07-17 03:31:44
2020-07-17 06:09:57
2020-07-17 08:41:48
2020-07-15 16:34:20
More literal spaces in MX target hostnames.
scotiabank.com.mx.      457     IN      MX      10 smexstsipgdl31.scotiabank.com.mx\032.

healthybrains.org.      28800   IN      MX      10 alt4.aspmx.l.google.com\032\032.

getbucks.com.           86400   IN      MX      20 mx2.mtaroutes.com\032.
getbucks.com.           86400   IN      MX      30 mx3.mtaroutes.com\032.
getbucks.com.           86400   IN      MX      40 mx4.mtaroutes.com\032.

2020-07-14 14:43:44
2020-07-09 10:04:18
2020-07-10 03:32:12
Refers to port 110, so maybe some POP3 notes were pasted into a MX target?
outpostinfo.com.        300     IN      MX      0 mail.outpostinfo.com\032\(port:\032110\).
2020-07-13 21:08:19
Looks like a period in quotes got inserted as a MX target hostname. And one has a literal space (Ascii 32) too.
getkansasbenefits.gov.  899     IN      MX      10 \".\032\".

werk.nl.                21599   IN      MX      0 \".\".

2020-07-17 02:20:41
2020-07-15 01:03:22
More quotes in DNS.
mobhey.com.             3599    IN      MX      0 mobhey-com.mail.protection.partner.outlook.cn.\".

onifile.com.            300     IN      MX      10 \"mx1.weblink.com.br\".
2020-07-14 00:28:26
2020-07-13 17:23:01
Typo: comma instead of a period.
speedjob.in.            300     IN      MX      10 speedjob,in.

puntajenacional.cl.     299     IN      MX      10 aspmx3.googlemail.com,.

academicpositions.com.  299     IN      MX      1 aspmx.l.google.com,.
academicpositions.com.  299     IN      MX      10 alt3.aspmx.l.google.com,.
academicpositions.com.  299     IN      MX      10 alt4.aspmx.l.google.com.
academicpositions.com.  299     IN      MX      5 alt1.aspmx.l.google.com,.
academicpositions.com.  299     IN      MX      5 alt2.aspmx.l.google.com,.

myabsorb.com.           2825    IN      MX      0 myabsorb-com.mail.protection.outlook.com,.

polkschoolsfl.com.    polkschoolsfl.com.      3600    IN      SOA     ns1,polk-fl.net. hostmaster.dc.polk-fl.net. 60 900 600 86400 3600

samyangpackaging.co.kr. 1799    IN      SOA     ns.samyang.com. administrator,samyang.com. 7 900 600 86400 3600
2020-07-15 07:44:07
2020-07-17 15:19:03
2020-07-16 21:56:57
2020-07-14 13:59:11
2020-07-17 05:51:34
2020-07-17 16:22:27
Typo or errant single-quote added to end of the MX target hostname.
fakeyourdrank.com.      300     IN      MX      3 mx3.vfemail.net'.
2020-07-14 01:25:57
This has a Latin small letter dotless "─▒" instead of a Latin "i". (The domain name puny encoded is xn--googlemal-2pb.com.)
son.tv.  300  IN  MX  10  aspmx2.googlema─▒l.com.
2020-07-10 09:11:32
MX priority included in the MX target hostname. Maybe a copy and paste mistake. See the Ascii 32 space.
lupygames.com.          300     IN      MX      10 10\032inbound-smtp.eu-west-1.amazonaws.com.

acopian.com.            300     IN      MX      30 10\032inbound-smtp.us-east-1.amazonaws.com.

thunderdrive.io.        300     IN      MX      10 10\032inbound-smtp.us-east-1.amazonaws.com.

vaccineshoppe.com.      900     IN      MX      10 5\032xspz11s657k.sanofi.com

eaguingamp.com.         3600    IN      MX      5 100\032mxb.ovh.net.

dentalproductsreport.com. 299   IN      MX      0 10\032us-smtp-inbound-1.mimecast.com.
dentalproductsreport.com. 299   IN      MX      0 10\032us-smtp-inbound-2.mimecast.com.

2020-07-10 10:42:50
2020-07-10 10:12:10
2020-07-10 21:38:59
2020-07-10 03:42:57
2020-07-10 05:10:24
2020-07-17 03:39:29
Literal space (Ascii 32) inserted in SOA field.
adek.gov.ae.            900     IN      SOA     \032s2gz0nm009.adnet.abudhabi.ae. hostmaster.abudhabi.ae. 161 28800 3600 2419200 900

webcom.com.             1799    IN      SOA     dns3.registeredsite.com. hostmaster.webcom.com\032. 2018072401 16384 2048 1048576 2560

tu.ac.kr.       1799    IN      SOA     \032ns2.tu.ac.kr. admin.tu.ac.kr. 1578 3600 300 604800 3600
2020-07-14 01:31:44
2020-07-14 03:37:37
2020-07-17 06:26:55
SOA RNAME and Serial number inserted into same SOA field (see the Ascii 32 space between them).
cucn.edu.cn.            1799    IN      SOA     dns1.cucn.edu.cn. hostmaster.net.edu.cn\03220070601. 401 900 600 86400 3600
2020-07-17 05:29:16
SOA RNAME has multiple spaces (Ascii 32) in it. Attempts to enter multiple email addresses or contacts.
wima.ac.id.             1200    IN      SOA     ns2.wima.ac.id. pusat\032data\032dan\032informasi. 2004086278 900 3600 86400 3600

arlingtonschools.org.   1799    IN      SOA     dns2.dcbcoes.org. info.csiny.com\032,\032jaime.keener. 2019080901 900 600 86400 3600

tanama.ir.              3600    IN      SOA     tanama.ir. saeed\032nouri. 40 86400 600 2419200 86400
2020-07-17 02:27:55
2020-07-17 17:10:16
2020-08-16 19:46:24
Attempt to have two SOA MNAMEs (see the space Ascii 32 between them).
e-credit.ad.            180     IN      SOA     ns1.creditandorra.ad,\032nic.creditandorra.ad. prod.creditandorra.ad. 85 900 600 86400 180
2020-07-14 00:20:54

We found many more examples of the problems above. We also found many other typing and date entry mistakes such as misspellings (like ``shanhai'' instead of ``shanghai''); missing period between DNS labels (e.g., ``mxbmail'' instead of ``mxb.mail'' or ``aspmx4googlemail''); translitered characters (e.g., ``squaer'' instead of ``square''); missing other letters (e.g., ``c'' in ``com''); added letters; and missing trailing letters (e.g., ``co'' instead of ``com'').

We will continue this series of articles with more examples of different DNS mistakes including insane values, more garbage, or technical issues. What do you use to verify your DNS is sane? The DNS Institute's checking tool looks at over 90 attributes to make sure they follow IETF/RFC requirements, government mandates, registry suggestions, and best practices. For over a year, we've ran it against thousands of Fortune 500, US government, and S&P 100 Global Banks owned domains and have identified hundreds of thousands of anomalies, including critical issues and security vulnerabilities.