[dns-operations] Strange queries found in querylog
Steffen Kluge
kluge at fujitsu.com.au
Fri Jun 19 03:46:58 UTC 2009
I've received a couple of replies off-list that confirmed what I was
hoping for. The queries are used by a McAfee email appliance as part of
a reputation based sender scoring system. Ain't DNS versatile... ;)
Sorry for the noise.
Cheers
Steffen.
On Mon, 2009-06-15 at 07:03 +0000, Steffen Kluge wrote:
> Hi all,
> I've been seeing unusual entries in the querylog of *one* of our
> external DNS servers for some time, all from the same client IP address
> (which belongs to a customer of ours that shall remain nameless for the
> time being). The IP address is that of the client's mail server.
>
> The queries occur at a rate of about 100-200 per minute and look like
> this:
>
> 15-Jun-2009 16:39:42.588 client xxx.xxx.xxx.xxx#2917: query:
> d.svemnz1AitjY3BGTHnil6oZ-GarJWca9bjWxI188MORQyDRMQnY_XJO2aRFS.1gYgqFdcN0dERP5tMKkyailsbzFxODykApy4O-G7Ueqqhd_BpUCw6zI19yhI.aHmmZ5jrNEU_VK80rxVlig3MDKcw6PEoga9Qxr5NyFcQbggWcm4OWtF6gu14.uMISd93SNVmAkG2ab1krFsAkAs-r5Nx56BJwy8sa1t4pPr1A.ts.ciphertrust.net IN A +
>
> As far as I can tell, the queries are always for A records of the form
> "d.random.ts.ciphertrust.net", and the "random" part always changes. The
> queries always return IP addresses in unallocated netblocks. For example
> the query above returns "0.0.0.116".
>
> I was wondering whether anyone here recognises those kind of queries and
> knows what they're about.
>
> Ciphertrust being McAfee I'm suspecting that this could be some kind of
> hijacking DNS traffic for proprietary purposes (e.g. blacklist lookups
> on a secure mail appliance). I'd like to rule out something more
> sinister, like DNS tunneling etc.
>
> Thanks and regards
> Steffen.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list