Security Incidents mailing list archives
Re: strange DNS behavior over the last 2 days
From: Jacco Tunnissen <jacco () honeypots net>
Date: Sat, 29 Mar 2003 09:19:27 +0100
On Thu, Mar 27, 2003 at 06:18:15PM -0800, Chris Wilkes wrote:
You can also install http://www.ethereal.org on your Windows box and find out what queries it is sending out. You might think your asking for the DNS entry for "example.com" but really you're asking for "example.com.mylocaldomain.com" I have a feeling that could be your problem.
Hello Chris, That might very well be the case, indeed. If so, that DNS (or ADS) has to be fixed immediately. A lot of DNS implementations (especially Microsoft ones) are causing bogus queries received at the root servers, due to misconfigured servers and workstations. It's a real pain. If you -as as reader of this list- are responsible for DNS in your organization, perhaps you can help to reduce bogus DNS queries by carefully reading the following three documents and fix the problem. 1. DNS Damage - Measurements at a Root Server http://www.caida.org/outreach/presentations/ietf0112/dns.damage.html Presentation which discusses bogus queries received at the root servers: non-stop repeated queries, bogus A-queries, bogus TLD's, internal names and private address space leaking out to the Internet. 2. The Heartbeat of Private Nets: Spectroscopy of DNS Update Traffic http://www.caida.org/~broido/dns/rfc1918.html Paper which classifies the attempts to dynamically update DNS records primarily for private (RFC1918) blocks by analyzing the frequency spectrum of update packets seen at one of the authoritative servers for RFC1918 zones. 3. Wow, That's a Lot of Packets (PDF file) http://www.caida.org/outreach/papers/2003/dnspackets/wessels-pam2003.pdf Paper that analyzes the queries that arrive at the thirteen root servers in a 24-hour time period. The data is classified into one of nine categories. By far, most of the queries are repeats and only a small percentage is legitimate. Also discusses root server abuse. Best regards, Jacco Tunnissen -- http://www.honeypots.net/ Intrusion Detection Systems, Honeypots, Incident Response ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfihl1
Current thread:
- strange DNS behavior over the last 2 days steve baker (Mar 27)
- Re: strange DNS behavior over the last 2 days Chris Wilkes (Mar 27)
- Re: strange DNS behavior over the last 2 days Jacco Tunnissen (Mar 29)
- RE: strange DNS behavior over the last 2 days John S. Pitts (Mar 31)
- Re: strange DNS behavior over the last 2 days Jacco Tunnissen (Mar 29)
- <Possible follow-ups>
- Re: strange DNS behavior over the last 2 days jinyean tan (Mar 27)
- RE: strange DNS behavior over the last 2 days Levinson, Karl (Mar 29)
- Re: strange DNS behavior over the last 2 days Jacob (Mar 29)
- Re: strange DNS behavior over the last 2 days Chris Wilkes (Mar 27)