[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FW: [Full-Disclosure] Question for DNS pros
- To: Suzi and Harold VanPatten <vanpattens@xxxxxxxxxxx>
- Subject: Re: FW: [Full-Disclosure] Question for DNS pros
- From: Paul Schmehl <pauls@xxxxxxxxxxxx>
- Date: Sat, 24 Jul 2004 12:32:31 -0500
--On Saturday, July 24, 2004 10:16 AM -0500 Suzi and Harold VanPatten
<vanpattens@xxxxxxxxxxx> wrote:
It seems to me you could do this without setting up a dns server. Just
tcpdump the traffic or sniff or snoop the traffic. It you set it up with
a snaplength of 1500 you'll get enough of the packet to see exactly what
dns query is being asked...something like
tcpdump -n -s 1500 udp and port 53 and host 1.2.3.4
I already did this, and I already posted it here. It didn't reveal
anything that I wasn't already aware of - ns requests and ptr requests for
that IP.
then you'll be able to tell if the queries are all for one specific
domain (meaning something has that IP registered as an authoritative
server for that domain) or are the queries for many different domains
meaning people think you have a dns server they can use as a resolver.
As I already stated, they're coming from all over.
Same with issue number one, once you know the domain they are querying,
you can find the POC of that domain and get them to fix the problem.
Hopefully, it is one of these two issues. Good luck!
That's the one piece I don't have yet - what domain is being queried. Thus
the request for suggestions here.
Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html