Re: strange DNS behavior over the last 2 days
From: Jacco Tunnissen (jacco@honeypots.net)
Date: 03/29/03
- Previous message: Jacob: "Re: strange DNS behavior over the last 2 days"
- In reply to: Chris Wilkes: "Re: strange DNS behavior over the last 2 days"
- Next in thread: jinyean tan: "Re: strange DNS behavior over the last 2 days"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 29 Mar 2003 09:19:27 +0100 From: Jacco Tunnissen <jacco@honeypots.net> To: incidents@securityfocus.com
On Thu, Mar 27, 2003 at 06:18:15PM -0800, Chris Wilkes wrote:
>You can also install http://www.ethereal.org on your Windows box and find
>out what queries it is sending out. You might think your asking for the DNS
>entry for "example.com" but really you're asking for
>"example.com.mylocaldomain.com" I have a feeling that could be your
>problem.
Hello Chris,
That might very well be the case, indeed. If so, that DNS (or ADS) has to be
fixed immediately.
A lot of DNS implementations (especially Microsoft ones) are causing bogus
queries received at the root servers, due to misconfigured servers and
workstations. It's a real pain.
If you -as as reader of this list- are responsible for DNS in your
organization, perhaps you can help to reduce bogus DNS queries by carefully
reading the following three documents and fix the problem.
1. DNS Damage - Measurements at a Root Server
http://www.caida.org/outreach/presentations/ietf0112/dns.damage.html
Presentation which discusses bogus queries received at the root servers:
non-stop repeated queries, bogus A-queries, bogus TLD's, internal names and
private address space leaking out to the Internet.
2. The Heartbeat of Private Nets: Spectroscopy of DNS Update Traffic
http://www.caida.org/~broido/dns/rfc1918.html
Paper which classifies the attempts to dynamically update DNS records
primarily for private (RFC1918) blocks by analyzing the frequency spectrum
of update packets seen at one of the authoritative servers for RFC1918
zones.
3. Wow, That's a Lot of Packets (PDF file)
http://www.caida.org/outreach/papers/2003/dnspackets/wessels-pam2003.pdf
Paper that analyzes the queries that arrive at the thirteen root servers in
a 24-hour time period. The data is classified into one of nine categories.
By far, most of the queries are repeats and only a small percentage is
legitimate. Also discusses root server abuse.
Best regards,
Jacco Tunnissen
-- http://www.honeypots.net/ Intrusion Detection Systems, Honeypots, Incident Response ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfihl1
- Previous message: Jacob: "Re: strange DNS behavior over the last 2 days"
- In reply to: Chris Wilkes: "Re: strange DNS behavior over the last 2 days"
- Next in thread: jinyean tan: "Re: strange DNS behavior over the last 2 days"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
