Re: strange DNS behavior over the last 2 days

On Thu, Mar 27, 2003 at 06:18:15PM -0800, Chris Wilkes wrote:

>You can also install http://www.ethereal.org on your Windows box and find

Hello Chris,

That might very well be the case, indeed. If so, that DNS (or ADS) has to be fixed immediately.

A lot of DNS implementations (especially Microsoft ones) are causing bogus queries received at the root servers, due to misconfigured servers and workstations. It's a real pain.

If you -as as reader of this list- are responsible for DNS in your organization, perhaps you can help to reduce bogus DNS queries by carefully reading the following three documents and fix the problem.

1. DNS Damage - Measurements at a Root Server

http://www.caida.org/outreach/presentations/ietf0112/dns.damage.html

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Presentation which discusses bogus queries received at the root servers: non-stop repeated queries, bogus A-queries, bogus TLD's, internal names and private address space leaking out to the Internet.

2. The Heartbeat of Private Nets: Spectroscopy of DNS Update Traffic

http://www.caida.org/~broido/dns/rfc1918.html

Paper which classifies the attempts to dynamically update DNS records primarily for private (RFC1918) blocks by analyzing the frequency spectrum of update packets seen at one of the authoritative servers for RFC1918 zones.

3. Wow, That's a Lot of Packets (PDF file)

http://www.caida.org/outreach/papers/2003/dnspackets/wessels-pam2003.pdf

Paper that analyzes the queries that arrive at the thirteen root servers in a 24-hour time period. The data is classified into one of nine categories. By far, most of the queries are repeats and only a small percentage is legitimate. Also discusses root server abuse.

Best regards,

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Jacco Tunnissen

-- 
http://www.honeypots.net/
Intrusion Detection Systems,
Honeypots, Incident Response

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfihl1