Listen to this Post

Introduction
Earlier this year, cybersecurity researchers uncovered 2-nest.pipe[.]ma, a nameserver operating under Morocco’s ccTLD (.ma) and hosted on bulletproof infrastructure. This server was found authoritatively serving high-risk domains, including those linked to past breaches and leak databases like Leakbase. The domain, originally registered via Genious Communications, has been operated by Njalla (1337 Services Co./AS54990)—a provider notorious for privacy-centric, censorship-resistant hosting.
Learning Objectives
- Understand how bulletproof hosting enables malicious cyber operations.
- Analyze DNS infrastructure abuse in cybercrime.
- Learn defensive techniques to detect and mitigate rogue nameservers.
You Should Know
1. Investigating Suspicious Nameservers with Dig
Command:
dig +short NS pipe[.]ma
What This Does:
This command queries the nameservers for pipe[.]ma, revealing authoritative DNS servers.
Step-by-Step Guide:
- Open a terminal (Linux/macOS) or use WSL (Windows).
2. Run the command to list nameservers.
- Cross-reference results with threat intelligence feeds (e.g., VirusTotal, AbuseIPDB).
- Tracing Hosting Infrastructure via WHOIS & ASN Lookup
Command:
whois pipe[.]ma curl -s "https://api.bgpview.io/asn/54990" | jq .
What This Does:
– `whois` retrieves domain registration details.
– The API call fetches ASN (Autonomous System Number) data for Njalla’s network (AS54990).
Step-by-Step Guide:
- Run `whois` to check registrar and registration history.
- Use `curl` + `jq` to parse Njalla’s ASN metadata, identifying IP ranges.
- Detecting Malicious DNS Activity with Passive DNS
Tool: SecurityTrails / DNSdumpster
- Detecting Malicious DNS Activity with Passive DNS
Query:
curl "https://api.securitytrails.com/v1/history/pipe[.]ma/dns/a" -H "APIKEY: YOUR_KEY"
What This Does:
Fetches historical DNS records to identify past resolutions (e.g., C2 servers).
Step-by-Step Guide:
1. Obtain a SecurityTrails API key.
- Run the query to review `A` record history.
3. Correlate IPs with blacklists.
4. Blocking Malicious Nameservers via Firewall Rules
Windows (PowerShell):
New-NetFirewallRule -DisplayName "Block Njalla AS54990" -Direction Outbound -RemoteIP "185.159.82.0/24" -Action Block
Linux (iptables):
sudo iptables -A OUTPUT -d 185.159.82.0/24 -j DROP
What This Does:
Blocks outbound traffic to Njalla’s IP ranges.
Step-by-Step Guide:
1. Identify hostile IPs via ASN lookup.
2. Apply firewall rules to prevent communication.
5. Monitoring DNS Exfiltration with Zeek (Bro)
Zeek Script (`dns-exfil.zeek`):
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) {
if (query in /pipe[.]ma/) {
print fmt("Suspicious DNS query to %s from %s", query, c$id$orig_h);
}
}
What This Does:
Logs DNS queries to `pipe[.]ma` for exfiltration detection.
Step-by-Step Guide:
1. Install Zeek (`sudo apt install zeek`).
2. Add the script to `/opt/zeek/share/zeek/site/`.
3. Restart Zeek to apply.
What Undercode Say
- Key Takeaway 1: Bulletproof hosting providers like Njalla enable threat actors to evade takedowns, necessitating proactive network-level blocking.
- Key Takeaway 2: Historical DNS analysis is critical for uncovering infrastructure reuse in cyberattacks.
Analysis:
The `pipe[.]ma` case underscores the abuse of privacy-focused hosting for malicious DNS operations. Defenders must:
1. Monitor ASNs linked to bulletproof hosting.
2. Implement DNS logging and firewall rules.
3. Leverage threat intelligence to flag suspicious domains.
Prediction
As bulletproof hosting evolves, expect:
- Increased use of decentralized DNS (e.g., blockchain-based).
- More ccTLD abuse for legitimacy.
- Tighter regulations targeting “rogue” ASNs.
Final Thought: Vigilance in DNS monitoring and infrastructure analysis remains paramount in countering cybercriminal resilience.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Adn4ne Earlier – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


