Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

DNS look up against a specific DNS provider
From: rd at rd1.net (Ralph Durkee)
Date: Sat, 27 Jun 2009 09:02:58 -0400

Yes, it makes it your goal a lot clearer. I was wondering where you were 
going with your question.  I think you're on the right track in that DNS 
can be good at detecting malware and bot track on your network.  I don't 
think it's going to be practical to ask the top few dynamic DNS 
providers to monitor requests from our IP addresses.  They would 
probably be willing to sell it as a service, but it wouldn't catch the 
more sophisticated bots that use their own DNS servers.  In particular 
I'm thinking about fast flux networks that honeynet wrote about in 2007 
http://honeynet.org/papers/ff    They recommended passive DNS monitoring 
as a way of detecting these bot nets, and several other papers have been 
written on it such as 
http://www.caida.org/workshops/wide/0707/slides/bojan.pdf   and 
http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf
Of course DNS monitoring your network could also catch any external 
authoritative DNS responses that had your own IP addresses in it, which 
is likely to be of interest.

-- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN
Principal Security Consultant
http://rd1.net



Adrian Crenshaw wrote:
Thanks Tim, hope your explanation makes it more clear. I've read about 
some malware/bots using dynamic DNS provider to map names for the sake 
of convenience, and some employees may set up unauthorized services on 
their work box, I figured this sort of tool would help find them.

Adrian
  

On Fri, Jun 26, 2009 at 1:59 PM, Tim Krabec <tkrabec at gmail.com 
<mailto:tkrabec at gmail.com>> wrote:

    I was origionally confused by what Irongeek wanted. 
    He wants to know if/when any IPs in his office/company show up in
    a dynamically assigned domain/ip

    ie
    Irongeeks company range 192.168.1.5-15
    he wants to be able to chec abcDynamics
    for his IP's

    ie bot327.abcDynamics.com <http://bot327.abcDynamics.com> is
    pointing to 192.168.1.6

    I think this is could be another awesome tool/resource.  It would
    probably require cooperation with the dynamic IP providers.

    -- 
    Tim Krabec
    Kracomp
    772-597-2349
    smbminute.com <http://smbminute.com>
    kracomp.blogspot.com <http://kracomp.blogspot.com>
    www.kracomp.com <http://www.kracomp.com>

    _______________________________________________
    Pauldotcom mailing list
    Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
    http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    Main Web Site: http://pauldotcom.com


------------------------------------------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090627/5962ff93/attachment.htm 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault