nanog mailing list archives

Re: How to track DNS resolution sources

From: Stephane Bortzmeyer <bortzmeyer () nic fr>
Date: Wed, 3 Dec 2014 17:56:23 +0100

On Wed, Dec 03, 2014 at 05:22:58PM +0100,
 Notify Me <notify.sina () gmail com> wrote 
 a message of 13 lines which said:

I hope I'm wording this correctly.


Not really :-)

I had a incident at a client site where a DNS record was being
spoofed.


How do you know? What steps did you use to assert this? Answers to
these questions would help to understand your problem.

How does one track down the IP address that's returning the false
records ?


If it's real DNS spoofing (which I doubt), the source IP address of
the poisoner is forged, so it would not help.

The main tool to use is dig. Let's assume the name that bothers you is
foobar.example.com. Query your local resolver:

dig A foobar.example.com

Query an external resolver, here Google Public DNS:

dig @8.8.4.4 A foobar.example.com

Query the authoritative name servers of example.com. First, to find them:

dig NS example.com

Second, query them (replace the server name by the real one):

dig @a.iana-servers.net. A foobar.example.com

Current thread:

How to track DNS resolution sources Notify Me (Dec 03)
- Re: How to track DNS resolution sources TR Shaw (Dec 03)
  - Re: How to track DNS resolution sources Stephane Bortzmeyer (Dec 03)
- Re: How to track DNS resolution sources Stephane Bortzmeyer (Dec 03)
  - RE: How to track DNS resolution sources teleric team (Dec 03)
- Message not available
  - Re: How to track DNS resolution sources Notify Me (Dec 04)