I already did this, and I already posted it here. It didn't reveal anything that I wasn't already aware of - ns requests and ptr requests for that IP.
It seems to me you could do this without setting up a dns server. Just tcpdump the traffic or sniff or snoop the traffic. It you set it up with a snaplength of 1500 you'll get enough of the packet to see exactly what dns query is being asked...something like tcpdump -n -s 1500 udp and port 53 and host 1.2.3.4
then you'll be able to tell if the queries are all for one specific domain (meaning something has that IP registered as an authoritative server for that domain) or are the queries for many different domains meaning people think you have a dns server they can use as a resolver.
As I already stated, they're coming from all over.
Same with issue number one, once you know the domain they are querying, you can find the POC of that domain and get them to fix the problem. Hopefully, it is one of these two issues. Good luck!
That's the one piece I don't have yet - what domain is being queried. Thus the request for suggestions here.
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
