Full Disclosure mailing list archives
Re: Question for DNS pros
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 25 Jul 2004 16:58:15 +1200
Paul Schmehl wrote:
Well, no, because that wouldn't solve the problem. A host on our network is being queried quite regularly on udp/53 by other hosts. A review of the packets reveals that these other hosts believe that our host is a dns server. (AAMOF the IP address isn't even in use at the present time.)
OK, given this extra information, I see you are making one huge assumption...
Now, if you do a reverse lookup for that IP, *our* DNS servers, which are authoritative for our network will tell you what the hostname is. But that isn't what I want to know. Obviously, a simple dig -x IP will tell me that. What I want to know is *why* do these "foreign" hosts think an IP on my network is serving DNS when there's not even a host at that address.
I think you're assuming that a remote host should only consider this IP of yours as a DNS server _if_ that information is _in the DNS, somewhere_, hence your query -- you're trying to work out how to find out what part of the DNS thinks this IP of yours is a DNS server.
I can think of two possibilities: 1) At some time in the past, a host *was* serving DNS at that address and some "foreign" hosts have cached the address. 2) Someone somewhere has registered a domain and used our IP address for one of their "nameservers" in the registration. (If anyone can think of other explanations, please let me know.)
I can think of another... Several recent malwares (mostly mass-mailing viruses, but some others too) have hard-coded lists of various servers to fall back on if local (i.e. local to the compromised/victim host) fails. When we first started to see this tactic (several years ago) it tended to be SMTP servers running open relays (or at least, the largest internal-to- external-relaying SMTP servers at the largest ISPs). Usually these lists were used if MX lookup for a target address failed or other transmission difficulties presented themselves (outgoing connections on port 25 failed because of firewall rules, etc), or (particularly before the mass-mailers did MX) if simply guessing "smtp.<domain>", "mail.<domain>", etc as the likely MX of a target domain failed. More recently, as proper MX resolution has become more common in these malwares' mailing engines, so has inclusion of lists of "known promiscuous" DNS servers, presumably in the expectation that MX for more target domains will be resolved than simply relying on the victim's default DNS. If your IP was in one of these lists (perhaps because of a typo or its nefarious inclusion in some commonly distributed list of promiscuous DNS servers) you could see requests from all over the place asking for all manner of target hosts (assuming that the malware writers actually get their DNS querying code right!). If the malware in question were doing this for MX reasons (by far the most common use to date) you would, of course, expect to see whatever DNS query or sequence of queries is normal for getting MX information, but now we are getting out of area fo expertise. Of course, all manner of other nefarious malware-related purposes besides self-mailing could be tied into such behaviour, so not seeing MX requests does not mean that this type of explanation is incorrect... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Enumerating a DNS servers authoritative zones (was Question for DNS pros), (continued)
- Enumerating a DNS servers authoritative zones (was Question for DNS pros) Bennett Todd (Jul 23)
- Re: Enumerating a DNS servers authoritative zones (was Question for DNS pros) Paul Schmehl (Jul 23)
- Re: Question for DNS pros Dennis Opacki (Jul 23)
- Re: Question for DNS pros VX Dude (Jul 23)
- Re: Question for DNS pros Oliver () greyhat de (Jul 23)
- Re: Question for DNS pros Paul Schmehl (Jul 23)
- Re: Question for DNS pros ALD, [ Aditya Lalit Deshmukh ] (Jul 23)
- Re: Question for DNS pros Paul Schmehl (Jul 23)
- Re: Question for DNS pros Steve (Jul 25)
- Re: Question for DNS pros Oliver () greyhat de (Jul 23)
- Re: Question for DNS pros Cyril Guibourg (Jul 23)
- Re: Question for DNS pros Nick FitzGerald (Jul 24)
- Re: Question for DNS pros Dave Yingling (Jul 25)
- Enumerating a DNS servers authoritative zones (was Question for DNS pros) Bennett Todd (Jul 23)
- Re: Question for DNS pros Steffen Schumacher (Jul 25)
- Re: FW: Question for DNS pros Paul Schmehl (Jul 24)
- Re: FW: Question for DNS pros Paul Rolland (Jul 25)
- Re: FW: Question for DNS pros Paul Schmehl (Jul 25)
- Re: FW: Question for DNS pros Frank Knobbe (Jul 25)
- Re: FW: Question for DNS pros Paul Schmehl (Jul 25)