DNS issues and questionable traffic - is my network compromised?
- From: "Bryan Andrews" <bandrews@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 9 Feb 2002 14:54:58 -0500
We have been having periodic mail problems sending to a certain domain
that goes away if I restart dns and restart my exchange server (the
domain is the queue indicates: Unable to bind to the destination server
in DNS)... but inevitably rears its ugly head. I think my dns cache is
corrupting so I go searching for dns problems.
I am getting this in my dns logs:
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5504
Date: 2/8/2002
Time: 1:54:14 AM
User: N/A
Computer: TATL0S07
Description:
The DNS server encountered an invalid domain name in a packet from
207.14.100.134. The packet is rejected.
periodically, 4 times every 2 seconds in intervals of 5 minutes
(thousands of events).
If I check EventID.net this is the response:
Description
DNS Server encountered invalid domain name in packet from <IP address>.
Packet is rejected.
Comments
A.G. As the message is suggesting, the DNS server has received an
invalid domain name. By invalid it means that it contains invalid
characters. MS DNS only supports 0-9, a-z, A-Z, . (dot), and - (hyphen)
as part of a domain name. Some other DNS servers may not strictly
enforce RFC 952 (DOD INTERNET HOST TABLE SPECIFICATION) so invalid names
reach the DNS server and the 5504 message is recorded. Usually this
happens when Forwarders are used by the DNS server. Microsoft suggested
to one user to turn off the forwarder in order to eliminate these
messages. There used to be a Knowledge Base article "Q246797 - DNS EVENT
IDS 5504, 9999, AND 5000 FILL EVENT VIEWER" but is no longer available.
Another condition that may generated these messages is when the Internet
connection is saturated or not working properly (losing packets).
Because of the poor Internet connection, the DNS may receive incomplete
or corrupted data and 5504 is generated.
J.C. "See Q241352 on how to prevent DNS Cache Polution".
When I check the Q article on cache pollution it tells me about adding a
reg setting to eliminate non secure data:
DNS cache pollution can occur if Domain Name System (DNS) "spoofing" has
been encountered. The term "spoofing" describes the sending of
non-secure data in response to a DNS query. It can be used to redirect
queries to a rogue DNS server and can be malicious in nature.
Now if I do a reverse dns scan on the ip i get:
Reverse DNS Scan
207.14.100.1 gw.snapnames.com (bogus rDNS)
207.14.100.4 gateway1.snapnames.com (bogus rDNS)
What I don't understand is how this is hitting my dns server. I have ISA
set up with no incoming dns ports inabled. How are my dns servers event
logs recording this? Is this something internal that is querying out to
this ip? Some sort of trojan?
I have also turned on my dns logging (all settings checked) and cannot
find that IP in any of the log files.
I do however have entries pertaining to the domains that I cannot send
email to (sushiclothingco.com and marketatl.com) which is long and will
be the last thing attached. I see it saying RCODE 2 (SERVFAIL) which I
believe is the problem, but the rest is greek to me.
I know this is not a DNS group but if anyone here can help with comments
or advice it would be appreciated as I am not sure if requests are
making it thru my ISA server or if I have a serious security issue.
Thanks for any help!
Snd 10.1.2.151 0f81 R Q [8281 DR SERVFAIL]
(15)sushiclothingco(3)com(0)
UDP response info at 010C1F1C
Socket = 496
Remote addr 10.1.2.151, port 1105
Time Query=187657, Queued=187657, Expire=187672
Buf length = 0x0200 (512)
Msg length = 0x0025 (37)
Message:
XID 0x0f81
Flags 0x8182
QR 1 (response)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
RCODE 2 (SERVFAIL)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(15)sushiclothingco(3)com(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:
Snd 10.1.2.151 0f82 R Q [8281 DR SERVFAIL] (6)hipinc(3)com(0)
UDP response info at 0115901C
Socket = 496
Remote addr 10.1.2.151, port 1108
Time Query=187657, Queued=187657, Expire=187672
Buf length = 0x0200 (512)
Msg length = 0x001c (28)
Message:
XID 0x0f82
Flags 0x8182
QR 1 (response)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
RCODE 2 (SERVFAIL)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(6)hipinc(3)com(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:
Rcv 10.1.2.151 0f86 Q [0001 D NOERROR] (6)hipinc(3)com(0)
UDP question info at 010F9AAC
Socket = 496
Remote addr 10.1.2.151, port 1156
Time Query=187675, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x001c (28)
Message:
XID 0x0f86
Flags 0x0100
QR 0 (question)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(6)hipinc(3)com(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:
Snd 192.5.6.30 0fd8 Q [0000 NOERROR] (6)hipinc(3)com(0)
UDP question info at 011704AC
Socket = 520
Remote addr 192.5.6.30, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x001c (28)
Message:
XID 0x0fd8
Flags 0x0000
QR 0 (question)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(6)hipinc(3)com(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:
Rcv 192.5.6.30 0fd8 R Q [0080 NOERROR] (6)hipinc(3)com(0)
UDP response info at 0117CE2C
Socket = 520
Remote addr 192.5.6.30, port 53
Time Query=187675, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x0092 (146)
Message:
XID 0x0fd8
Flags 0x8000
QR 1 (response)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x3
ARCOUNT 0x3
Offset = 0x000c, RR count = 0
Name "(6)hipinc(3)com(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
Offset = 0x001c, RR count = 0
Name "[C00C](6)hipinc(3)com(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 20
DATA (4)DNS1(9)INTERLAND(3)NET(0)
Offset = 0x003c, RR count = 1
Name "[C00C](6)hipinc(3)com(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 7
DATA (4)DNS2[C02D](9)INTERLAND(3)NET(0)
Offset = 0x004f, RR count = 2
Name "[C00C](6)hipinc(3)com(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 7
DATA (4)DNS3[C02D](9)INTERLAND(3)NET(0)
ADDITIONAL SECTION:
Offset = 0x0062, RR count = 0
Name "[C028](4)DNS1(9)INTERLAND(3)NET(0)"
TYPE A (1)
CLASS 1
TTL 172800
DLEN 4
DATA 64.224.20.132
Offset = 0x0072, RR count = 1
Name "[C048](4)DNS2[C02D](9)INTERLAND(3)NET(0)"
TYPE A (1)
CLASS 1
TTL 172800
DLEN 4
DATA 64.224.20.133
Offset = 0x0082, RR count = 2
Name "[C05B](4)DNS3[C02D](9)INTERLAND(3)NET(0)"
TYPE A (1)
CLASS 1
TTL 172800
DLEN 4
DATA 64.224.20.134
Snd 10.1.2.151 0f83 R Q [8281 DR SERVFAIL]
(9)marketatl(3)com(0)
UDP response info at 011224AC
Socket = 496
Remote addr 10.1.2.151, port 1138
Time Query=187660, Queued=187660, Expire=187675
Buf length = 0x0200 (512)
Msg length = 0x001f (31)
Message:
XID 0x0f83
Flags 0x8182
QR 1 (response)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
RCODE 2 (SERVFAIL)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(9)marketatl(3)com(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:
Snd 10.1.2.151 0f83 R Q [8281 DR SERVFAIL]
(9)marketatl(3)com(0)
UDP response info at 011106AC
Socket = 496
Remote addr 10.1.2.151, port 1138
Time Query=187661, Queued=187661, Expire=187676
Buf length = 0x0200 (512)
Msg length = 0x001f (31)
Message:
XID 0x0f83
Flags 0x8182
QR 1 (response)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
RCODE 2 (SERVFAIL)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(9)marketatl(3)com(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:
Rcv 10.1.2.151 0f87 Q [0001 D NOERROR]
(9)marketatl(3)com(14)trendinfluence(3)com(0)
UDP question info at 0115901C
Socket = 496
Remote addr 10.1.2.151, port 1138
Time Query=187677, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x0032 (50)
Message:
XID 0x0f87
Flags 0x0100
QR 0 (question)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(9)marketatl(3)com(14)trendinfluence(3)com(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:
Snd 10.1.2.151 0f87 R Q [8385 A DR NXDOMAIN]
(9)marketatl(3)com(14)trendinfluence(3)com(0)
UDP response info at 0115901C
Socket = 496
Remote addr 10.1.2.151, port 1138
Time Query=187677, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x0076 (118)
Message:
XID 0x0f87
Flags 0x8583
QR 1 (response)
OPCODE 0 (QUERY)
AA 1
TC 0
RD 1
RA 1
Z 0
RCODE 3 (NXDOMAIN)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x1
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(9)marketatl(3)com(14)trendinfluence(3)com(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
Offset = 0x0032, RR count = 0
Name "(14)trendinfluence(3)com(0)"
TYPE SOA (6)
CLASS 1
TTL 3600
DLEN 38
DATA
PrimaryServer:
(8)tatl0s03[C032](14)trendinfluence(3)com(0)
Administrator: (5)admin(0)
SerialNo = 904
Refresh = 900
Retry = 600
Expire = 86400
MinimumTTL = 3600
ADDITIONAL SECTION:
Snd 10.1.2.151 0f83 R Q [8281 DR SERVFAIL]
(9)marketatl(3)com(0)
UDP response info at 004D667C
Socket = 496
Remote addr 10.1.2.151, port 1138
Time Query=187663, Queued=187663, Expire=187678
Buf length = 0x0200 (512)
Msg length = 0x001f (31)
Message:
XID 0x0f83
Flags 0x8182
QR 1 (response)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
RCODE 2 (SERVFAIL)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(9)marketatl(3)com(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:
Snd 10.1.2.151 0f83 R Q [8281 DR SERVFAIL]
(9)marketatl(3)com(0)
UDP response info at 0109108C
Socket = 496
Remote addr 10.1.2.151, port 1138
Time Query=187665, Queued=187665, Expire=187680
Buf length = 0x0200 (512)
Msg length = 0x001f (31)
Message:
XID 0x0f83
Flags 0x8182
QR 1 (response)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
RCODE 2 (SERVFAIL)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(9)marketatl(3)com(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:
Snd 10.1.2.151 0f86 R Q [8281 DR SERVFAIL] (6)hipinc(3)com(0)
UDP response info at 004D540C
Socket = 496
Remote addr 10.1.2.151, port 1156
Time Query=187665, Queued=187665, Expire=187680
Buf length = 0x0200 (512)
Msg length = 0x001c (28)
Message:
XID 0x0f86
Flags 0x8182
QR 1 (response)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
RCODE 2 (SERVFAIL)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(6)hipinc(3)com(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:
Other related posts:
- » DNS issues and questionable traffic - is my network compromised?
