[dns-operations] Strange queries found in querylog

Chisholm, Glenn L Glenn.L.Chisholm at team.telstra.com
Mon Jun 15 11:55:41 UTC 2009

McAfee uses the DNS to look up hashes of binaries to verify if it is a new malware sample since their last definitions update.

This looks like that behavior, they call the malware version Artremis.


On 15/06/09 5:03 PM, "Steffen Kluge" <kluge at fujitsu.com.au> wrote:

Hi all,
I've been seeing unusual entries in the querylog of *one* of our
external DNS servers for some time, all from the same client IP address
(which belongs to a customer of ours that shall remain nameless for the
time being). The IP address is that of the client's mail server.

The queries occur at a rate of about 100-200 per minute and look like

15-Jun-2009 16:39:42.588 client xxx.xxx.xxx.xxx#2917: query:
d.svemnz1AitjY3BGTHnil6oZ-GarJWca9bjWxI188MORQyDRMQnY_XJO2aRFS.1gYgqFdcN0dERP5tMKkyailsbzFxODykApy4O-G7Ueqqhd_BpUCw6zI19yhI.aHmmZ5jrNEU_VK80rxVlig3MDKcw6PEoga9Qxr5NyFcQbggWcm4OWtF6gu14.uMISd93SNVmAkG2ab1krFsAkAs-r5Nx56BJwy8sa1t4pPr1A.ts.ciphertrust.net IN A +

As far as I can tell, the queries are always for A records of the form
"d.random.ts.ciphertrust.net", and the "random" part always changes. The
queries always return IP addresses in unallocated netblocks. For example
the query above returns "".

I was wondering whether anyone here recognises those kind of queries and
knows what they're about.

Ciphertrust being McAfee I'm suspecting that this could be some kind of
hijacking DNS traffic for proprietary purposes (e.g. blacklist lookups
on a secure mail appliance). I'd like to rule out something more
sinister, like DNS tunneling etc.

Thanks and regards

dns-operations mailing list
dns-operations at lists.dns-oarc.net

Glenn Chisholm

Network Security

This communication may contain CONFIDENTIAL information of Telstra Corporation Limited (ABN 33 051 775 556). It may also be the subject of LEGAL PROFESSIONAL PRIVILEGE and/or under copyright. If you are not an intended recipient, you MUST NOT keep, forward, copy, use, save or rely on this communication, and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply.

More information about the dns-operations mailing list