Re: strange DNS behavior over the last 2 days

From: Jacco Tunnissen (jaccoat_private)
Date: Sat Mar 29 2003 - 00:19:27 PST

Next message: Wilson, Aaron J.: "SQL Slammer Variant?"

Previous message: Jacob: "Re: strange DNS behavior over the last 2 days"
In reply to: Chris Wilkes: "Re: strange DNS behavior over the last 2 days"
Next in thread: John S. Pitts: "RE: strange DNS behavior over the last 2 days"
Next in thread: jinyean tan: "Re: strange DNS behavior over the last 2 days"
Reply: John S. Pitts: "RE: strange DNS behavior over the last 2 days"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 27, 2003 at 06:18:15PM -0800, Chris Wilkes wrote:

>You can also install http://www.ethereal.org on your Windows box and find
>out what queries it is sending out. You might think your asking for the DNS
>entry for "example.com" but really you're asking for
>"example.com.mylocaldomain.com" I have a feeling that could be your
>problem.

Hello Chris,

That might very well be the case, indeed. If so, that DNS (or ADS) has to be
fixed immediately.

A lot of DNS implementations (especially Microsoft ones) are causing bogus
queries received at the root servers, due to misconfigured servers and
workstations. It's a real pain.

If you -as as reader of this list- are responsible for DNS in your
organization, perhaps you can help to reduce bogus DNS queries by carefully
reading the following three documents and fix the problem.

1. DNS Damage - Measurements at a Root Server

http://www.caida.org/outreach/presentations/ietf0112/dns.damage.html

Presentation which discusses bogus queries received at the root servers:
non-stop repeated queries, bogus A-queries, bogus TLD's, internal names and
private address space leaking out to the Internet.

2. The Heartbeat of Private Nets: Spectroscopy of DNS Update Traffic

http://www.caida.org/~broido/dns/rfc1918.html

Paper which classifies the attempts to dynamically update DNS records
primarily for private (RFC1918) blocks by analyzing the frequency spectrum
of update packets seen at one of the authoritative servers for RFC1918
zones.

3. Wow, That's a Lot of Packets (PDF file)

http://www.caida.org/outreach/papers/2003/dnspackets/wessels-pam2003.pdf

Paper that analyzes the queries that arrive at the thirteen root servers in
a 24-hour time period. The data is classified into one of nine categories.
By far, most of the queries are repeats and only a small percentage is
legitimate. Also discusses root server abuse.

Best regards,

Jacco Tunnissen
-- 
http://www.honeypots.net/
Intrusion Detection Systems,
Honeypots, Incident Response

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfihl1

Next message: Wilson, Aaron J.: "SQL Slammer Variant?"
Previous message: Jacob: "Re: strange DNS behavior over the last 2 days"
In reply to: Chris Wilkes: "Re: strange DNS behavior over the last 2 days"
Next in thread: John S. Pitts: "RE: strange DNS behavior over the last 2 days"
Next in thread: jinyean tan: "Re: strange DNS behavior over the last 2 days"
Reply: John S. Pitts: "RE: strange DNS behavior over the last 2 days"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Mar 29 2003 - 10:06:47 PST