[dns-operations] Strange queries found in querylog

Steffen Kluge kluge at fujitsu.com.au
Mon Jun 15 07:03:24 UTC 2009


Hi all,
I've been seeing unusual entries in the querylog of *one* of our
external DNS servers for some time, all from the same client IP address
(which belongs to a customer of ours that shall remain nameless for the
time being). The IP address is that of the client's mail server.

The queries occur at a rate of about 100-200 per minute and look like
this:

15-Jun-2009 16:39:42.588 client xxx.xxx.xxx.xxx#2917: query:
d.svemnz1AitjY3BGTHnil6oZ-GarJWca9bjWxI188MORQyDRMQnY_XJO2aRFS.1gYgqFdcN0dERP5tMKkyailsbzFxODykApy4O-G7Ueqqhd_BpUCw6zI19yhI.aHmmZ5jrNEU_VK80rxVlig3MDKcw6PEoga9Qxr5NyFcQbggWcm4OWtF6gu14.uMISd93SNVmAkG2ab1krFsAkAs-r5Nx56BJwy8sa1t4pPr1A.ts.ciphertrust.net IN A +

As far as I can tell, the queries are always for A records of the form
"d.random.ts.ciphertrust.net", and the "random" part always changes. The
queries always return IP addresses in unallocated netblocks. For example
the query above returns "0.0.0.116".

I was wondering whether anyone here recognises those kind of queries and
knows what they're about.

Ciphertrust being McAfee I'm suspecting that this could be some kind of
hijacking DNS traffic for proprietary purposes (e.g. blacklist lookups
on a secure mail appliance). I'd like to rule out something more
sinister, like DNS tunneling etc.

Thanks and regards
Steffen.




More information about the dns-operations mailing list