Full Disclosure mailing list archives
Re: Question for DNS pros
From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 23 Jul 2004 17:11:10 -0500
--On Friday, July 23, 2004 09:50:44 PM +0200 Oliver () greyhat de wrote:
hm... you could also try reverse lookups for all existing ip-adresses in the world :)
Well, no, because that wouldn't solve the problem.A host on our network is being queried quite regularly on udp/53 by other hosts. A review of the packets reveals that these other hosts believe that our host is a dns server. (AAMOF the IP address isn't even in use at the present time.)
Now, if you do a reverse lookup for that IP, *our* DNS servers, which are authoritative for our network will tell you what the hostname is. But that isn't what I want to know. Obviously, a simple dig -x IP will tell me that.
What I want to know is *why* do these "foreign" hosts think an IP on my network is serving DNS when there's not even a host at that address.
I can think of two possibilities:1) At some time in the past, a host *was* serving DNS at that address and some "foreign" hosts have cached the address. 2) Someone somewhere has registered a domain and used our IP address for one of their "nameservers" in the registration.
(If anyone can think of other explanations, please let me know.)Now how is a reverse lookup going to help you with that? It would be trivial to write a perl script that did reverse lookups for every IP on the Internet and wrote the responses to a comma delimited file, but the resulting file would be useless to solve the problem that I'm trying to solve.
And for those who were thinking "just do a tcpdump", here's what *that* looks like - no domain info there -
17:01:44.646943 x.x.x.x.17388 > xxxxxx.utdallas.edu.domain: 48072 NS? . (17) 17:01:45.386919 x.x.x.x.17388 > xxxxxx.utdallas.edu.domain: 48073 NS? . (17) 17:01:46.153402 x.x.x.x.17388 > xxxxxx.utdallas.edu.domain: 48074 NS? . (17) 17:01:47.657898 x.x.x.x.17388 > xxxxxx.utdallas.edu.domain: 1084 PTR? 63.37.110.129.in-addr.arpa. (44) 17:01:48.399150 x.x.x.x.17388 > xxxxxx.utdallas.edu.domain: 1085 PTR? 63.37.110.129.in-addr.arpa. (44) 17:01:49.144398 x.x.x.x.17388 > xxxxxx.utdallas.edu.domain: 1086 PTR? 63.37.110.129.in-addr.arpa. (44)
The best suggestion yet has been to set up a name server at that address with verbose logging. That's probably what I will do next week.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Question for DNS pros Paul Schmehl (Jul 23)
- Enumerating a DNS servers authoritative zones (was Question for DNS pros) Bennett Todd (Jul 23)
- Re: Enumerating a DNS servers authoritative zones (was Question for DNS pros) Paul Schmehl (Jul 23)
- Re: Question for DNS pros Dennis Opacki (Jul 23)
- Re: Question for DNS pros VX Dude (Jul 23)
- Re: Question for DNS pros Oliver () greyhat de (Jul 23)
- Re: Question for DNS pros Paul Schmehl (Jul 23)
- Re: Question for DNS pros ALD, [ Aditya Lalit Deshmukh ] (Jul 23)
- Re: Question for DNS pros Paul Schmehl (Jul 23)
- Re: Question for DNS pros Steve (Jul 25)
- Re: Question for DNS pros Oliver () greyhat de (Jul 23)
- Re: Question for DNS pros Cyril Guibourg (Jul 23)
- Re: Question for DNS pros Nick FitzGerald (Jul 24)
- Re: Question for DNS pros Dave Yingling (Jul 25)
- Enumerating a DNS servers authoritative zones (was Question for DNS pros) Bennett Todd (Jul 23)
- Re: Question for DNS pros Steffen Schumacher (Jul 25)
- <Possible follow-ups>
- FW: Question for DNS pros Suzi and Harold VanPatten (Jul 25)