[176541] in North American Network Operators' Group
Re: How to track DNS resolution sources
daemon@ATHENA.MIT.EDU (Notify Me)
Thu Dec 4 09:23:21 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <CAHnk=ChEy2sFZRE7Q-AWvKxMm0QNRYATYu=gzVTPrTVTeBg_qg@mail.gmail.com>
Date: Thu, 4 Dec 2014 15:23:13 +0100
From: Notify Me <notify.sina@gmail.com>
To: Nicholas Oas <nicholas.oas@gmail.com>,
"nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Hi Nick and List
Yes it's possible. The dud DNS response in some parts of the internet was
the public IP address being used by their proxy server. I'm not sure what
the proxy is, but it's a windows box. I was going to try to dig trace but
by then the poisoning suddenly stopped happening. Any other ideas on how
to deal with this ? What can I proactively do in case it happens again?
On Thursday, 4 December 2014, Nicholas Oas <nicholas.oas@gmail.com> wrote:
> Is it possible that your client site has a helpful firewall that is
> performing DNS doctoring?
>
> http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/dns-alg-nat-doctoring-overview.html
>
> The first time I encountered this neither myself nor my customer expected
> it. We upgraded the firewall and suddenly their external hostname
> resolution was coming back with internal IP addresses, as defined by the
> firewall's NAT table.
>
> Note this only really happens with NAT. If the spoofed records are
> internal its most likely something else.
>
> On Wed, Dec 3, 2014 at 11:22 AM, Notify Me <notify.sina@gmail.com
> <javascript:_e(%7B%7D,'cvml','notify.sina@gmail.com');>> wrote:
>
>> Hi!
>>
>> I hope I'm wording this correctly. I had a incident at a client site where
>> a DNS record was being spoofed. How does one track down the IP address
>> that's returning the false records ? What tool can one use?
>>
>> Thanks!
>>
>>
>>
>>
>> --
>> Sent from MetroMail
>>
>
>
--
Sent from MetroMail
