Paul Schmehl wrote:
Well, no, because that wouldn't solve the problem.
A host on our network is being queried quite regularly on udp/53 by
hosts. A review of the packets reveals that these other hosts
our host is a dns server. (AAMOF the IP address isn't even in use
OK, given this extra information, I see you are making one huge
Now, if you do a reverse lookup for that IP, *our* DNS servers,
authoritative for our network will tell you what the hostname is.
isn't what I want to know. Obviously, a simple dig -x IP will tell
What I want to know is *why* do these "foreign" hosts think an IP
network is serving DNS when there's not even a host at that
I think you're assuming that a remote host should only consider this
of yours as a DNS server _if_ that information is _in the DNS,
somewhere_, hence your query -- you're trying to work out how to find
out what part of the DNS thinks this IP of yours is a DNS server.
I can think of two possibilities:
1) At some time in the past, a host *was* serving DNS at that
some "foreign" hosts have cached the address.
2) Someone somewhere has registered a domain and used our IP
one of their "nameservers" in the registration.
(If anyone can think of other explanations, please let me know.)
I can think of another...
Several recent malwares (mostly mass-mailing viruses, but some others
too) have hard-coded lists of various servers to fall back on if
(i.e. local to the compromised/victim host) fails. When we first
started to see this tactic (several years ago) it tended to be SMTP
servers running open relays (or at least, the largest internal-to-
external-relaying SMTP servers at the largest ISPs). Usually these
lists were used if MX lookup for a target address failed or other
transmission difficulties presented themselves (outgoing connections
port 25 failed because of firewall rules, etc), or (particularly
the mass-mailers did MX) if simply guessing "smtp.<domain>",
"mail.<domain>", etc as the likely MX of a target domain failed.
recently, as proper MX resolution has become more common in these
malwares' mailing engines, so has inclusion of lists of "known
promiscuous" DNS servers, presumably in the expectation that MX for
more target domains will be resolved than simply relying on the
victim's default DNS.
If your IP was in one of these lists (perhaps because of a typo or
nefarious inclusion in some commonly distributed list of promiscuous
DNS servers) you could see requests from all over the place asking
all manner of target hosts (assuming that the malware writers
get their DNS querying code right!). If the malware in question were
doing this for MX reasons (by far the most common use to date) you
would, of course, expect to see whatever DNS query or sequence of
queries is normal for getting MX information, but now we are getting
out of area fo expertise. Of course, all manner of other nefarious
malware-related purposes besides self-mailing could be tied into such
behaviour, so not seeing MX requests does not mean that this type of
explanation is incorrect...
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Full-Disclosure - We believe in it.