nanog mailing list archives
Re: How to track DNS resolution sources
From: Stephane Bortzmeyer <bortzmeyer () nic fr>
Date: Wed, 3 Dec 2014 17:56:23 +0100
On Wed, Dec 03, 2014 at 05:22:58PM +0100, Notify Me <notify.sina () gmail com> wrote a message of 13 lines which said:
I hope I'm wording this correctly.
Not really :-)
I had a incident at a client site where a DNS record was being spoofed.
How do you know? What steps did you use to assert this? Answers to these questions would help to understand your problem.
How does one track down the IP address that's returning the false records ?
If it's real DNS spoofing (which I doubt), the source IP address of the poisoner is forged, so it would not help. The main tool to use is dig. Let's assume the name that bothers you is foobar.example.com. Query your local resolver: dig A foobar.example.com Query an external resolver, here Google Public DNS: dig @8.8.4.4 A foobar.example.com Query the authoritative name servers of example.com. First, to find them: dig NS example.com Second, query them (replace the server name by the real one): dig @a.iana-servers.net. A foobar.example.com
Current thread:
- How to track DNS resolution sources Notify Me (Dec 03)
- Re: How to track DNS resolution sources TR Shaw (Dec 03)
- Re: How to track DNS resolution sources Stephane Bortzmeyer (Dec 03)
- Re: How to track DNS resolution sources Stephane Bortzmeyer (Dec 03)
- RE: How to track DNS resolution sources teleric team (Dec 03)
- Message not available
- Re: How to track DNS resolution sources Notify Me (Dec 04)
- Re: How to track DNS resolution sources TR Shaw (Dec 03)