lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407260658.i6Q6wmq24417@tag.witbe.net>
From: rol at witbe.net (Paul Rolland)
Subject: FW: Question for DNS pros

Hello,

> I've altered the real hostname on our network to "targethost" 
> and altered 
> the querying IP to x.x.x.x for privacy reasons.  All these 
> queries are 
> *from* the same host.  This pattern is *typical* of what I'm 
> seeing from a 
> *number of diverse hosts* from all over the world.
> 
> 22:06:10.294071 x.x.x.x.2566 > 
> targethost.utdallas.edu.domain:  29462 NS? . 
> (17)
> 22:06:11.043050 x.x.x.x.2566 > 
> targethost.utdallas.edu.domain:  29463 NS? . 
> (17)
> 22:06:11.791218 x.x.x.x.2566 > 
> targethost.utdallas.edu.domain:  29464 NS? . 
> (17)

Seems to be a query for the NS for the "." (root) zone.
The machine sending the queries is probably configured to use
your server as a complete DNS resolver and transfer all its queries
to your server.

Regards,
Paul


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ