It seems to me you
could do this without setting up a dns server. Just tcpdump the traffic or sniff
or snoop the traffic. It you set it up with a snaplength of 1500 you'll get
enough of the packet to see exactly what dns query is being
asked...something like
tcpdump -n -s 1500 udp and port 53 and host 1.2.3.4
then you'll be able to tell if the queries are all for
one specific domain (meaning something has that IP registered as an
authoritative server for that domain) or are the queries for many different
domains meaning people think you have a dns server they can use as a
resolver.
We have seen the second case happen before, but
generally it has been easy to fix. For instance, if our domain was 192.168.13.0,
we'll notice that the source addresses of ALL the queries will come from
something like 192.163.13.0 and obviously they have accidentally typo'd
something in their dhcp server. Then we use ARIN or some other website to figure
out a POC for that network, call them and they fix the typo.
Same with issue number one, once you know the domain
they are querying, you can find the POC of that domain and get them to fix the
problem. Hopefully, it is one of these two issues. Good
luck!
Suzi
Paul Schmehl
<[EMAIL PROTECTED]> writes:
> What I want to know is *why* do these "foreign" hosts think an IP on
> my network is serving DNS when there's not even a host at that address.
>
> I can think of two possibilities:
>
> 1) At some time in the past, a host *was* serving DNS at that address
> and some "foreign" hosts have cached the address.
> 2) Someone somewhere has registered a domain and used our IP address
> for one of their "nameservers" in the registration.
>
> (If anyone can think of other explanations, please let me know.)
Some bogus resolver, or forwarder, setup.
> Now how is a reverse lookup going to help you with that?
It won't.
> The best suggestion yet has been to set up a name server at that
> address with verbose logging. That's probably what I will do next
> week.
Yes, just put no zone at all and log queries. After a while, you should be
able to figure out "why" you receive these queries.
Cheers.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
> What I want to know is *why* do these "foreign" hosts think an IP on
> my network is serving DNS when there's not even a host at that address.
>
> I can think of two possibilities:
>
> 1) At some time in the past, a host *was* serving DNS at that address
> and some "foreign" hosts have cached the address.
> 2) Someone somewhere has registered a domain and used our IP address
> for one of their "nameservers" in the registration.
>
> (If anyone can think of other explanations, please let me know.)
Some bogus resolver, or forwarder, setup.
> Now how is a reverse lookup going to help you with that?
It won't.
> The best suggestion yet has been to set up a name server at that
> address with verbose logging. That's probably what I will do next
> week.
Yes, just put no zone at all and log queries. After a while, you should be
able to figure out "why" you receive these queries.
Cheers.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
