You did mean http://www.ethereal.com Right? -----Original Message----- From: Jacco Tunnissen [mailto:jaccoat_private] Sent: Saturday, March 29, 2003 12:19 AM To: incidentsat_private Subject: Re: strange DNS behavior over the last 2 days On Thu, Mar 27, 2003 at 06:18:15PM -0800, Chris Wilkes wrote: >You can also install http://www.ethereal.org on your Windows box and find >out what queries it is sending out. You might think your asking for the DNS >entry for "example.com" but really you're asking for >"example.com.mylocaldomain.com" I have a feeling that could be your >problem. Hello Chris, That might very well be the case, indeed. If so, that DNS (or ADS) has to be fixed immediately. A lot of DNS implementations (especially Microsoft ones) are causing bogus queries received at the root servers, due to misconfigured servers and workstations. It's a real pain. If you -as as reader of this list- are responsible for DNS in your organization, perhaps you can help to reduce bogus DNS queries by carefully reading the following three documents and fix the problem. 1. DNS Damage - Measurements at a Root Server http://www.caida.org/outreach/presentations/ietf0112/dns.damage.html Presentation which discusses bogus queries received at the root servers: non-stop repeated queries, bogus A-queries, bogus TLD's, internal names and private address space leaking out to the Internet. 2. The Heartbeat of Private Nets: Spectroscopy of DNS Update Traffic http://www.caida.org/~broido/dns/rfc1918.html Paper which classifies the attempts to dynamically update DNS records primarily for private (RFC1918) blocks by analyzing the frequency spectrum of update packets seen at one of the authoritative servers for RFC1918 zones. 3. Wow, That's a Lot of Packets (PDF file) http://www.caida.org/outreach/papers/2003/dnspackets/wessels-pam2003.pdf Paper that analyzes the queries that arrive at the thirteen root servers in a 24-hour time period. The data is classified into one of nine categories. By far, most of the queries are repeats and only a small percentage is legitimate. Also discusses root server abuse. Best regards, Jacco Tunnissen -- http://www.honeypots.net/ Intrusion Detection Systems, Honeypots, Incident Response ------------------------------------------------------------------------ ---- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfihl1 ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfihl1
This archive was generated by hypermail 2b30 : Mon Mar 31 2003 - 14:02:22 PST