Re: Unusual DNS requests (not related to previous DNS thread)

From: Greg A. Woods (woodsat_private)
Date: Thu Jan 17 2002 - 20:12:19 PST

  • Next message: James C. Slora Jr.: "RE: dtspcd probes toward Solaris machines"

    [ On Thursday, January 17, 2002 at 20:22:52 (-0600), measlat_private wrote: ]
    > Subject: Re: Unusual DNS requests (not related to previous DNS thread)
    >
    > Sorry I failed to post the mask (/24).  And I thoroughly realize that even as
    > a /24 this is not necessarily an "invalid" request, merely a
    > "strange" request for a machine not local to the subnet.
    
    It's not even vaguely strange.  PLEASE read RFC 1101!!!!!
    
    Even if the zone "xxx.xxx.xx.in-addr.arpa" (for whatever value of 'x's
    you curiously obfuscated for no possibly valid reason -- information
    published in the DNS is public knowledge, by definition) is not
    officially delegated to your nameserver, it's not unlikely for some
    other mis-configured nameserver to believe yours might be able to answer
    such a query.
    
    Finally it's entirely possible some curious soul was simply asking your
    nameserver directly if it knew any network name for that IP network.
    
    In the end NO properly formed DNS query is ever "strange" or "freaky" or
    even unexpected, even if there's no nameserver advertised at the
    destination address!  Expect anything -- you will get it.
    
    -- 
    								Greg A. Woods
    
    +1 416 218-0098;  <gwoodsat_private>;  <g.a.woodsat_private>;  <woodsat_private>
    Planix, Inc. <woodsat_private>; VE3TCP; Secrets of the Weird <woodsat_private>
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 18 2002 - 08:40:14 PST