Random nx name queries, anyone see this before?

Ian Sampson sampsonij at yahoo.co.uk
Tue Dec 16 16:10:58 UTC 2008


Do you get an injected response at the same time not from the relevant  
root server? The only way would be to gather a tetheral dump to see if  
that is the case?

On 16 Dec 2008, at 14:20, Alan Clegg wrote:

> Frank Behrens wrote:
>> ponga2112 at gmail.com <ponga2112 at gmail.com> wrote on 15 Dec 2008 16:34:
>>> I'd be very interested in what others find. I do have an update and
>>> correction to my original post:
>>>
>>> The format is 9chars.8chars - as an example:
>>> qjnqrtfun.wxsifmgj
>>> Sometimes a colon appears, so the char list seems to be [a-z:]
>>> Also, I was wrong about the FQDN - they do appear in named/bind  
>>> logs -
>>> so whatever app it is, the suffix search order is being used. My
>>> apologies for the incorrect info the first time.
>
> I had never seen any suffixes on the ones that I captured in the past
> (note that I first noticed this in March of 2008 and I don't see any  
> of
> the odd traffic at the moment).
>
>>> Thre are a couple clients that do this - so thanks for the tip  
>>> AlanC,
>>> I will look for a pattern. Other than that, I'm stumped. Thanks for
>>> any hints provided!!
>
> Look for patterns in the source UDP port -- also the timing of the
> queries was rather interesting, with some of the queries actually
> matching even when the sources of the requests were on different  
> subnets
> and on machines that were owned by different organizations.
>
>> Is it possible that a bot net tries to connect?
>> http://www.heise-online.co.uk/security/Botnet-rises-again--/news/112118
>>
>> I don't want to make a panic, it's an idea only...
>
> I had originally thought the same thing, but I can't see how it  
> would be
> used.
>
> The problem with that theory is that the queries would only make it  
> from
> the infected machine to the upstream resolver, and then to the root  
> and
> an NXDOMAIN response would be elicited.
>
> 07-Mar-2008 02:01:31.516 queries: info: client A#1067: query:
> 4wmn1f4:t.g5u97dc9 IN A +
> 07-Mar-2008 02:03:11.317 queries: info: client B#42637: query:
> 9ra4hmm9s.u5j87tb6 IN A +
> 07-Mar-2008 02:03:23.049 queries: info: client C#1031: query:
> gxmikjfn4.v5w70um3 IN A +
> 07-Mar-2008 02:03:31.558 queries: info: client A#1067: query:
> 8m2zdm:4c.k3u86uf1 IN A +
> 07-Mar-2008 02:05:11.501 queries: info: client B#42638: query:
> fug8xatrs.w7m65zq4 IN A +
> 07-Mar-2008 02:05:23.112 queries: info: client C#1031: query:
> ek3hfaui:.t2o91ir1 IN A +
>
> AlanC
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users





More information about the bind-users mailing list