Home page logo

pauldotcom logo PaulDotCom mailing list archives

DNS look up against a specific DNS provider
From: rd at rd1.net (Ralph Durkee)
Date: Sat, 27 Jun 2009 09:02:58 -0400

Yes, it makes it your goal a lot clearer. I was wondering where you were 
going with your question.  I think you're on the right track in that DNS 
can be good at detecting malware and bot track on your network.  I don't 
think it's going to be practical to ask the top few dynamic DNS 
providers to monitor requests from our IP addresses.  They would 
probably be willing to sell it as a service, but it wouldn't catch the 
more sophisticated bots that use their own DNS servers.  In particular 
I'm thinking about fast flux networks that honeynet wrote about in 2007 
http://honeynet.org/papers/ff    They recommended passive DNS monitoring 
as a way of detecting these bot nets, and several other papers have been 
written on it such as 
http://www.caida.org/workshops/wide/0707/slides/bojan.pdf   and 
Of course DNS monitoring your network could also catch any external 
authoritative DNS responses that had your own IP addresses in it, which 
is likely to be of interest.

-- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN
Principal Security Consultant

Adrian Crenshaw wrote:
Thanks Tim, hope your explanation makes it more clear. I've read about 
some malware/bots using dynamic DNS provider to map names for the sake 
of convenience, and some employees may set up unauthorized services on 
their work box, I figured this sort of tool would help find them.


On Fri, Jun 26, 2009 at 1:59 PM, Tim Krabec <tkrabec at gmail.com 
<mailto:tkrabec at gmail.com>> wrote:

    I was origionally confused by what Irongeek wanted. 
    He wants to know if/when any IPs in his office/company show up in
    a dynamically assigned domain/ip

    Irongeeks company range
    he wants to be able to chec abcDynamics
    for his IP's

    ie bot327.abcDynamics.com <http://bot327.abcDynamics.com> is
    pointing to

    I think this is could be another awesome tool/resource.  It would
    probably require cooperation with the dynamic IP providers.

    Tim Krabec
    smbminute.com <http://smbminute.com>
    kracomp.blogspot.com <http://kracomp.blogspot.com>
    www.kracomp.com <http://www.kracomp.com>

    Pauldotcom mailing list
    Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
    Main Web Site: http://pauldotcom.com


Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090627/5962ff93/attachment.htm 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]