Re: How to track DNS resolution sources
Hi Nick and List Yes it's possible. The dud DNS response in some parts of the internet was the public IP address being used by their proxy server. I'm not sure what the proxy is, but it's a windows box. I was going to try to dig trace but by then the poisoning suddenly stopped happening. Any other ideas on how to deal with this ? What can I proactively do in case it happens again? On Thursday, 4 December 2014, Nicholas Oas nicholas@gmail.com wrote: Is it possible that your client site has a helpful firewall that is performing DNS doctoring? http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/dns-alg-nat-doctoring-overview.html The first time I encountered this neither myself nor my customer expected it. We upgraded the firewall and suddenly their external hostname resolution was coming back with internal IP addresses, as defined by the firewall's NAT table. Note this only really happens with NAT. If the spoofed records are internal its most likely something else. On Wed, Dec 3, 2014 at 11:22 AM, Notify Me notify.s...@gmail.com javascript:_e(%7B%7D,'cvml','notify.s...@gmail.com'); wrote: Hi! I hope I'm wording this correctly. I had a incident at a client site where a DNS record was being spoofed. How does one track down the IP address that's returning the false records ? What tool can one use? Thanks! -- Sent from MetroMail -- Sent from MetroMail
How to track DNS resolution sources
Hi! I hope I'm wording this correctly. I had a incident at a client site where a DNS record was being spoofed. How does one track down the IP address that's returning the false records ? What tool can one use? Thanks! -- Sent from MetroMail
Re: How to track DNS resolution sources
On the command line: host spoofed.host.name.com On Dec 3, 2014, at 11:22 AM, Notify Me notify.s...@gmail.com wrote: Hi! I hope I'm wording this correctly. I had a incident at a client site where a DNS record was being spoofed. How does one track down the IP address that's returning the false records ? What tool can one use? Thanks! -- Sent from MetroMail
Re: How to track DNS resolution sources
On Wed, Dec 03, 2014 at 05:22:58PM +0100, Notify Me notify.s...@gmail.com wrote a message of 13 lines which said: I hope I'm wording this correctly. Not really :-) I had a incident at a client site where a DNS record was being spoofed. How do you know? What steps did you use to assert this? Answers to these questions would help to understand your problem. How does one track down the IP address that's returning the false records ? If it's real DNS spoofing (which I doubt), the source IP address of the poisoner is forged, so it would not help. The main tool to use is dig. Let's assume the name that bothers you is foobar.example.com. Query your local resolver: dig A foobar.example.com Query an external resolver, here Google Public DNS: dig @8.8.4.4 A foobar.example.com Query the authoritative name servers of example.com. First, to find them: dig NS example.com Second, query them (replace the server name by the real one): dig @a.iana-servers.net. A foobar.example.com
Re: How to track DNS resolution sources
On Wed, Dec 03, 2014 at 11:32:08AM -0500, TR Shaw ts...@oitc.com wrote a message of 20 lines which said: On the command line: host spoofed.host.name.com Excuse me but it is useless. It tests only the local resolver (which may be unpoisoned). It provides no details that could help to debug the problem (such as the TTL).
RE: How to track DNS resolution sources
Date: Wed, 3 Dec 2014 17:56:23 +0100 From: bortzme...@nic.fr To: notify.s...@gmail.com Subject: Re: How to track DNS resolution sources CC: nanog@nanog.org On Wed, Dec 03, 2014 at 05:22:58PM +0100, Notify Me notify.s...@gmail.com wrote a message of 13 lines which said: I hope I'm wording this correctly. Not really :-) I had a incident at a client site where a DNS record was being spoofed. How do you know? What steps did you use to assert this? Answers to these questions would help to understand your problem. How does one track down the IP address that's returning the false records ? If it's real DNS spoofing (which I doubt), the source IP address of the poisoner is forged, so it would not help. The main tool to use is dig. Let's assume the name that bothers you is foobar.example.com. Query your local resolver: dig A foobar.example.com Query an external resolver, here Google Public DNS: dig @8.8.4.4 A foobar.example.com Query the authoritative name servers of example.com. First, to find them: dig NS example.com Second, query them (replace the server name by the real one): dig @a.iana-servers.net. A foobar.example.com I didn't understand how this will help him identify the poisoner. What an IDS rule will do is check for responding authoritative query IDs for DNS queries never made to that responder, but made for the authoritative server identified as per above (direct NS inquiry). If no IDS is present, BIND logging would allow for identification of authoritative responses and query ID identification. In summary whatever is answered authoritatively by a server other than the NS ones tracked by dig +trace foobar.examplecom is the potential poisoner. But if the poisoing is done from an spoofed IP address (spoofing the authoritative IP), well good luck w/ that if the spoofed domain is not DNSSEC aware.
