Full Disclosure: Re: FW: Question for DNS pros

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: FW: Question for DNS pros

From: "Paul Rolland" <rol () witbe net>
Date: Mon, 26 Jul 2004 08:58:48 +0200

Hello,

I've altered the real hostname on our network to "targethost" 
and altered 
the querying IP to x.x.x.x for privacy reasons.  All these 
queries are 
*from* the same host.  This pattern is *typical* of what I'm 
seeing from a 
*number of diverse hosts* from all over the world.

22:06:10.294071 x.x.x.x.2566 > 
targethost.utdallas.edu.domain:  29462 NS? . 
(17)
22:06:11.043050 x.x.x.x.2566 > 
targethost.utdallas.edu.domain:  29463 NS? . 
(17)
22:06:11.791218 x.x.x.x.2566 > 
targethost.utdallas.edu.domain:  29464 NS? . 
(17)


Seems to be a query for the NS for the "." (root) zone.
The machine sending the queries is probably configured to use
your server as a complete DNS resolver and transfer all its queries
to your server.

Regards,
Paul

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

By Date By Thread

Current thread:

Re: FW: Question for DNS pros, (continued)
- Re: Question for DNS pros Jason Coombs PivX Solutions (Jul 25)