mailing list archives
Re: FW: Question for DNS pros
From: Paul Schmehl <pauls () utdallas edu>
Date: Sat, 24 Jul 2004 12:32:31 -0500
--On Saturday, July 24, 2004 10:16 AM -0500 Suzi and Harold VanPatten
<vanpattens () knology net> wrote:
I already did this, and I already posted it here. It didn't reveal
anything that I wasn't already aware of - ns requests and ptr requests for
It seems to me you could do this without setting up a dns server. Just
tcpdump the traffic or sniff or snoop the traffic. It you set it up with
a snaplength of 1500 you'll get enough of the packet to see exactly what
dns query is being asked...something like
tcpdump -n -s 1500 udp and port 53 and host 18.104.22.168
then you'll be able to tell if the queries are all for one specific
domain (meaning something has that IP registered as an authoritative
server for that domain) or are the queries for many different domains
meaning people think you have a dns server they can use as a resolver.
As I already stated, they're coming from all over.
Same with issue number one, once you know the domain they are querying,
you can find the POC of that domain and get them to fix the problem.
Hopefully, it is one of these two issues. Good luck!
That's the one piece I don't have yet - what domain is being queried. Thus
the request for suggestions here.
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
Full-Disclosure - We believe in it.
Re: Question for DNS pros Roberto Navarro (Jul 24)
Re: Question for DNS pros Nils Ketelsen (Jul 25)
FW: Question for DNS pros Suzi and Harold VanPatten (Jul 25)
Re: Question for DNS pros Jason Coombs PivX Solutions (Jul 25)