Re: Unusual DNS requests (not related to previous DNS thread)

[<measl () mfn org>]

On Tue, 15 Jan 2002, Ryan Russell wrote:

> On Mon, 14 Jan 2002 measl () mfn org wrote:
> > So far, so good.  The request is for a PTR
> > record: 0.xxx.xxx.xx.in-addr.arpa.  No, that's not a typo, they are
> > requesting reverse for the network address at .0.
>
> Don't get too worried about the 0. part... recall that these are in
> reverse order, so the guy is asking for a name for x.y.z.0.

Yes, I know - look up top :-)

> Or maybe
> that's what you were worried about.  It's not common but, depending on
> subnet mask, .0 addresses aren't always reserved.

Sorry I failed to post the mask (/24).  And I thoroughly realize that even as
a /24 this is not necessarily an "invalid" request, merely a
"strange" request for a machine not local to the subnet.
 
> > A packet capture shows
> > absolutely nothing out of the ordinary, other than the freaky request, and
> > the regularity of the requests, about one request every five seconds, round
> > the clock.
>
> So this begs the question... is this DNS server supposed to be serving
> in-addr.arpa records?  

Why this question (yes, it serves up PTR)?

> I.e. is it reverse for some network addresss range?
> If so, is there a possibility that that network range is a smurf
> amplifier?

I briefly considered this very question, however, they are not using any gear
(only the older 4.3 BSD boxen really had a reputation for doing this,
right?) which responds to this address - I've personally been down this road
with them.  

My final guess was (in order) (a) a misconfigured box somehow generating this
valid but nonsensical request (and the customer seeing the request on his
IDS); (b) some kind of discovery mechanism ala' Akamia, Quova, etc...


>                                       Ryan

-- 
Yours, 
J.A. Terranson
sysadmin () mfn org

If Governments really want us to behave like civilized human beings, they
should give serious consideration towards setting a better example:
Ruling by force, rather than consensus; the unrestrained application of
unjust laws (which the victim-populations were never allowed input on in
the first place); the State policy of justice only for the rich and 
elected; the intentional abuse and occassionally destruction of entire
populations merely to distract an already apathetic and numb electorate...
This type of demogoguery must surely wipe out the fascist United States
as surely as it wiped out the fascist Union of Soviet Socialist Republics.

The views expressed here are mine, and NOT those of my employers,
associates, or others.  Besides, if it *were* the opinion of all of
those people, I doubt there would be a problem to bitch about in the
first place...
--------------------------------------------------------------------



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com