RE: strange DNS behavior over the last 2 days

From: John S. Pitts (jpittsat_private)
Date: Sat Mar 29 2003 - 10:31:15 PST

  • Next message: Tom Fischer: "POP3 logon attempts"

    You did mean http://www.ethereal.com
    
    Right?
    
    -----Original Message-----
    From: Jacco Tunnissen [mailto:jaccoat_private] 
    Sent: Saturday, March 29, 2003 12:19 AM
    To: incidentsat_private
    Subject: Re: strange DNS behavior over the last 2 days
    
    On Thu, Mar 27, 2003 at 06:18:15PM -0800, Chris Wilkes wrote:
    
    >You can also install http://www.ethereal.org on your Windows box and
    find
    >out what queries it is sending out. You might think your asking for the
    DNS
    >entry for "example.com" but really you're asking for
    >"example.com.mylocaldomain.com" I have a feeling that could be your
    >problem.
    
    Hello Chris,
    
    That might very well be the case, indeed. If so, that DNS (or ADS) has
    to be
    fixed immediately.
    
    A lot of DNS implementations (especially Microsoft ones) are causing
    bogus
    queries received at the root servers, due to misconfigured servers and
    workstations. It's a real pain.
    
    If you -as as reader of this list- are responsible for DNS in your
    organization, perhaps you can help to reduce bogus DNS queries by
    carefully
    reading the following three documents and fix the problem.
    
    1. DNS Damage - Measurements at a Root Server
    
    http://www.caida.org/outreach/presentations/ietf0112/dns.damage.html
    
    Presentation which discusses bogus queries received at the root servers:
    non-stop repeated queries, bogus A-queries, bogus TLD's, internal names
    and
    private address space leaking out to the Internet.
    
    2. The Heartbeat of Private Nets: Spectroscopy of DNS Update Traffic
    
    http://www.caida.org/~broido/dns/rfc1918.html
    
    Paper which classifies the attempts to dynamically update DNS records
    primarily for private (RFC1918) blocks by analyzing the frequency
    spectrum
    of update packets seen at one of the authoritative servers for RFC1918
    zones.
    
    3. Wow, That's a Lot of Packets (PDF file)
    
    http://www.caida.org/outreach/papers/2003/dnspackets/wessels-pam2003.pdf
    
    Paper that analyzes the queries that arrive at the thirteen root servers
    in
    a 24-hour time period. The data is classified into one of nine
    categories.
    By far, most of the queries are repeats and only a small percentage is
    legitimate. Also discusses root server abuse.
    
    Best regards,
    
    Jacco Tunnissen
    -- 
    http://www.honeypots.net/
    Intrusion Detection Systems,
    Honeypots, Incident Response
    
    ------------------------------------------------------------------------
    ----
    Powerful Anti-Spam Management and More...
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:
    http://www.surfcontrol.com/go/zsfihl1
    
    
    ----------------------------------------------------------------------------
    Powerful Anti-Spam Management and More...
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:
    http://www.surfcontrol.com/go/zsfihl1
    



    This archive was generated by hypermail 2b30 : Mon Mar 31 2003 - 14:02:22 PST