mailing list archives
FW: Question for DNS pros
From: "Suzi and Harold VanPatten" <vanpattens () knology net>
Date: Sat, 24 Jul 2004 10:16:26 -0500
It seems to me you could do this without setting up a dns server. Just
tcpdump the traffic or sniff or snoop the traffic. It you set it up with a
snaplength of 1500 you'll get enough of the packet to see exactly what dns
query is being asked...something like
tcpdump -n -s 1500 udp and port 53 and host 126.96.36.199
then you'll be able to tell if the queries are all for one specific domain
(meaning something has that IP registered as an authoritative server for
that domain) or are the queries for many different domains meaning people
think you have a dns server they can use as a resolver.
We have seen the second case happen before, but generally it has been easy
to fix. For instance, if our domain was 192.168.13.0, we'll notice that the
source addresses of ALL the queries will come from something like
188.8.131.52 and obviously they have accidentally typo'd something in their
dhcp server. Then we use ARIN or some other website to figure out a POC for
that network, call them and they fix the typo.
Same with issue number one, once you know the domain they are querying, you
can find the POC of that domain and get them to fix the problem. Hopefully,
it is one of these two issues. Good luck!
Paul Schmehl <pauls () utdallas edu> writes:
What I want to know is *why* do these "foreign" hosts think an IP on
my network is serving DNS when there's not even a host at that address.
I can think of two possibilities:
1) At some time in the past, a host *was* serving DNS at that address
and some "foreign" hosts have cached the address.
2) Someone somewhere has registered a domain and used our IP address
for one of their "nameservers" in the registration.
(If anyone can think of other explanations, please let me know.)
Some bogus resolver, or forwarder, setup.
Now how is a reverse lookup going to help you with that?
The best suggestion yet has been to set up a name server at that
address with verbose logging. That's probably what I will do next
Yes, just put no zone at all and log queries. After a while, you should be
able to figure out "why" you receive these queries.
Full-Disclosure - We believe in it.
Re: Question for DNS pros Roberto Navarro (Jul 24)
Re: Question for DNS pros Nils Ketelsen (Jul 25)
FW: Question for DNS pros Suzi and Harold VanPatten (Jul 25)
Re: Question for DNS pros Jason Coombs PivX Solutions (Jul 25)