PaulDotCom mailing list archives
DNS look up against a specific DNS provider
From: rd at rd1.net (Ralph Durkee)
Date: Sat, 27 Jun 2009 09:02:58 -0400
Yes, it makes it your goal a lot clearer. I was wondering where you were going with your question. I think you're on the right track in that DNS can be good at detecting malware and bot track on your network. I don't think it's going to be practical to ask the top few dynamic DNS providers to monitor requests from our IP addresses. They would probably be willing to sell it as a service, but it wouldn't catch the more sophisticated bots that use their own DNS servers. In particular I'm thinking about fast flux networks that honeynet wrote about in 2007 http://honeynet.org/papers/ff They recommended passive DNS monitoring as a way of detecting these bot nets, and several other papers have been written on it such as http://www.caida.org/workshops/wide/0707/slides/bojan.pdf and http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf Of course DNS monitoring your network could also catch any external authoritative DNS responses that had your own IP addresses in it, which is likely to be of interest. -- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN Principal Security Consultant http://rd1.net Adrian Crenshaw wrote:
Thanks Tim, hope your explanation makes it more clear. I've read about some malware/bots using dynamic DNS provider to map names for the sake of convenience, and some employees may set up unauthorized services on their work box, I figured this sort of tool would help find them. Adrian On Fri, Jun 26, 2009 at 1:59 PM, Tim Krabec <tkrabec at gmail.com <mailto:tkrabec at gmail.com>> wrote: I was origionally confused by what Irongeek wanted. He wants to know if/when any IPs in his office/company show up in a dynamically assigned domain/ip ie Irongeeks company range 192.168.1.5-15 he wants to be able to chec abcDynamics for his IP's ie bot327.abcDynamics.com <http://bot327.abcDynamics.com> is pointing to 192.168.1.6 I think this is could be another awesome tool/resource. It would probably require cooperation with the dynamic IP providers. -- Tim Krabec Kracomp 772-597-2349 smbminute.com <http://smbminute.com> kracomp.blogspot.com <http://kracomp.blogspot.com> www.kracomp.com <http://www.kracomp.com> _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com ------------------------------------------------------------------------ _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090627/5962ff93/attachment.htm
Current thread:
- DNS look up against a specific DNS provider Adrian Crenshaw (Jun 25)
- DNS look up against a specific DNS provider Jonathan Moore (Jun 25)
- DNS look up against a specific DNS provider Adrian Crenshaw (Jun 25)
- DNS look up against a specific DNS provider byte.bucket at 4a44.com (Jun 25)
- DNS look up against a specific DNS provider Adrian Crenshaw (Jun 25)
- DNS look up against a specific DNS provider genesiswave at gmail.com (Jun 25)
- DNS look up against a specific DNS provider Adrian Crenshaw (Jun 26)
- DNS look up against a specific DNS provider Tim Krabec (Jun 26)
- DNS look up against a specific DNS provider Adrian Crenshaw (Jun 26)
- DNS look up against a specific DNS provider Ralph Durkee (Jun 27)
- DNS look up against a specific DNS provider Adrian Crenshaw (Jun 25)
- DNS look up against a specific DNS provider Jonathan Moore (Jun 25)
- DNS look up against a specific DNS provider Adrian Crenshaw (Jun 25)