No subject


Tue Apr 2 00:56:56 UTC 2013


tcpdump, any time my dns cannot answer a request, it asks this guy's
machine.  This sounds to me like some sort of poisoning, though my
understanding is that this isn't exactly what cache poisoning does (I'm
open to correction, however).  Also, I downloaded and installed dnstracer,
expecting that it might tell me that my machine was querying this guy's
box, but it showed that, when he was unable to answer a request, it started
asking the root servers.

Here is a typical failed request from one of my clients....
21:19:28.482248 eth0 < some-pc.1112 > my-dns.53: 11+ A? ww.typed-wrong.com.
(39)
21:19:33.208979 eth0 > my-dns.53 > some-pc.1112: 11 NXDomain* 0/1/1 (107)

This prompted the following from my dns....
21:19:33.000061 eth0 > my-dns.1032 > some-other-guy's-dns.53: 63862 A?
ww.typed-wrong.com. (39)

I've been seeing this go on all day.  It (apparently) gets triggered by any
failed client request (several hundred customers on a cable-modem net
reference this dns).  I get the same basic result when Windows machines try
to use my dns for WINS resolution, trying to resolve stuff like "VALUED OEM
CUSTOMER".

Obviously, I've obscured real names/IPs above.  I hope I've not muddied the
waters in doing so.  If I'm just being dumb, tell me.  But I suspect
something has (maliciously or not) told my dns to go ask this fellow for
stuff it can't do itself.

Any ideas??

Thanks for your time and help,
Brian Collins
Systems Admin
Newnan Utilities


More information about the bind-users mailing list