Re: FW: Question for DNS pros

[Paul Schmehl <pauls () utdallas edu>]

--On Saturday, July 24, 2004 10:16 AM -0500 Suzi and Harold VanPatten 
<vanpattens () knology net> wrote:
> It seems to me you could do this without setting up a dns server. Just
> tcpdump the traffic or sniff or snoop the traffic. It you set it up with
> a snaplength of 1500 you'll get enough of the packet to see  exactly what
> dns query is being asked...something like
> tcpdump -n -s 1500 udp and port 53 and host 1.2.3.4
I already did this, and I already posted it here.  It didn't reveal 
anything that I wasn't already aware of - ns requests and ptr requests for 
that IP.

> then you'll be able to tell if the queries are all for one specific
> domain (meaning something has that IP registered as an authoritative
> server for that domain) or are the queries for many different domains
> meaning people think you have a dns server they can use as a resolver.
As I already stated, they're coming from all over.

> Same with issue number one, once you know the domain they are querying,
> you can find the POC of that domain and get them to fix the problem.
> Hopefully, it is one of these two issues.  Good luck!

That's the one piece I don't have yet - what domain is being queried.  Thus 
the request for suggestions here.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html