Security Incidents mailing list archives

Re: Win2k Machine contacting Root Server???

From: Valdis.Kletnieks () vt edu
Date: Fri, 24 Mar 2006 16:41:29 -0500

On Fri, 24 Mar 2006 04:49:18 EST, somebody said:

(Sorry, am replying to a reply rather than orignal...)

I recently ran "netstat" on my personal laptop (running Win2k) and was 
shocked to see that it had been making TCP connections to the root servers 
(to their domain port). I know that some DNS queries are performed using 
TCP, but I find it somewhat disturbing that the root servers were 
involved.


A common cause of this is if the Windows box has been told to register its
DHCP address in Active Directory, but the AD DNS isn't configured for that.
The box then goes and asks the root servers where to find the AD.

It's particularly a big problem for RFC1918 address spaces leaking out
of a corporate net.

Another big source of pollution is PTR lookups for 1918 addresses.

http://www.caida.org/publications/papers/2004/dns-pollution/
http://www.caida.org/publications/papers/2003/dnsspectroscopy-full/

And some 98% (yes, 98%) of the packets reaching a root nameserver are bogus:

http://www.caida.org/publications/papers/2003/dnspackets/

Makes you wonder how it keeps working at all....

Attachment: _bin
Description:

Current thread:

Win2k Machine contacting Root Server??? Alex (Mar 24)
- Re: Win2k Machine contacting Root Server??? Jeff Rosowski (Mar 29)
- <Possible follow-ups>
- RE: Win2k Machine contacting Root Server??? Adrian Marsden (Mar 24)
  - Re: Win2k Machine contacting Root Server??? Valdis . Kletnieks (Mar 24)
  - RE: Win2k Machine contacting Root Server??? Alex (Mar 24)