Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: FW: Question for DNS pros
From: Paul Schmehl <pauls () utdallas edu>
Date: Sat, 24 Jul 2004 12:32:31 -0500

--On Saturday, July 24, 2004 10:16 AM -0500 Suzi and Harold VanPatten <vanpattens () knology net> wrote:

It seems to me you could do this without setting up a dns server. Just
tcpdump the traffic or sniff or snoop the traffic. It you set it up with
a snaplength of 1500 you'll get enough of the packet to see  exactly what
dns query is being asked...something like
tcpdump -n -s 1500 udp and port 53 and host

I already did this, and I already posted it here. It didn't reveal anything that I wasn't already aware of - ns requests and ptr requests for that IP.

then you'll be able to tell if the queries are all for one specific
domain (meaning something has that IP registered as an authoritative
server for that domain) or are the queries for many different domains
meaning people think you have a dns server they can use as a resolver.

As I already stated, they're coming from all over.

Same with issue number one, once you know the domain they are querying,
you can find the POC of that domain and get them to fix the problem.
Hopefully, it is one of these two issues.  Good luck!

That's the one piece I don't have yet - what domain is being queried. Thus the request for suggestions here.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]