Strange DNS Queries

Smith, William E. (Bill), Jr. Bill.Smith at
Fri Mar 2 19:09:50 UTC 2007

I got one response who suggested Webroot's Spysweeper might be the
culprit via the hardcoding of the noted names in the hosts file on
Windows box.  We're looking at that right now to determine if this is it
or not.  If not, I'll be happy to provide a scrubbed capture for further
review.  I'm not sure where the destination is for all of these queries
but can go back to our security folks to gather that additional info.
In terms of what's being returned, the capture I had showed nothing
being returned; however, that could be attributed to receiving just a
partial trace.  More to come as we investigate further.

- Bill

-----Original Message-----
From: Stephen John Smoogen [mailto:smooge at] 
Sent: Friday, March 02, 2007 1:30 PM
To: Smith, William E. (Bill), Jr.
Cc: bind-users at
Subject: Re: Strange DNS Queries

On 3/2/07, Smith, William E. (Bill), Jr. <Bill.Smith at> wrote:
> Our network security folks have come to me inquiring about some odd
DNS queries that they have been seeing pop up on their IDS's.  After
reviewing the captures they've provided, I really have no idea what they
are for.  What we're seeing is some clients sending a standard A record
query for the names "UseCustom" and "UseDefs".  The destination in the
most recent information I received is  I've viewed the
trace sent to me via Wireshark but it doesn't really report much other
than the queries for "UseCustom" and "UseDefs".  Has anyone ever seen
such queries before and / or can shed some light on what they are for?
I'll try to provide further information as requested / needed.
> Bill Smith

I think a scrubbed capture might be needed to know more about it..
Does all the destinations point towards phone companies or do they go
around.. what data is being returned?

Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that
little candle throws his beams! So shines a good deed in a naughty
world. = Shakespeare. "The Merchant of Venice"

More information about the bind-users mailing list