[dns-operations] what's ongoing with WEBEX and dot queries
Mayer Hans
Hans.Mayer at iiasa.ac.at
Thu Jun 13 07:44:35 UTC 2019
Hi Joelle,
Of course I checked what our DNS servers are doing for such a query. They are doing the same as they are doing always if asking for a domain out of our scope and IP range. The server is replying with status: REFUSED.
In the meantime I had some e-mail dialog with Cisco. Without giving me details they mentioned there was an issue with a third party product GSLB/ADNS. In any case this mystery stopped since two days.
// Hans
--
From: Joelle Maslak <jmaslak at antelope.net>
Sent: Sunday, June 9, 2019 1:09 AM
To: Mayer Hans <Hans.Mayer at iiasa.ac.at>
Cc: dns-operations at lists.dns-oarc.net; Eder Norbert <eder at iiasa.ac.at>; Undercoffer Joe <joseph.undercoffer at iiasa.ac.at>
Subject: Re: [dns-operations] what's ongoing with WEBEX and dot queries
Do you respond to these queries with a large response (you might want to check). If you do, it may be a forged source packet asking for . so that your server sends a large "response" to WebEX, amplifying the bandwidth of the attacker.
On Sat, Jun 8, 2019 at 1:49 PM Mayer Hans <Hans.Mayer at iiasa.ac.at<mailto:Hans.Mayer at iiasa.ac.at>> wrote:
Dear All,
Since 2019 06 05 around 10:00 UTC I see a much higher number of queries to our name servers for top level dot (.)
This happened before too from anywhere but with an amount of queries of 5 to 10 times per day. Now we are in a range of average 2000 queries per hour up to 7200 queries per hour.
[cid:image001.png at 01D521CB.DFC70EE0]
Interesting is that only one of our 4 DNS server is used for these queries.
All these remote IP’s are coming from WEBEX. A reverse lookup ends with something.webex.com<http://something.webex.com>
The geo-locations are limited to 4 destinations
US, San Jose
Netherlands
Repulic of Singapore, Singapore
China, Beijing
Did anyone else register this obviously misconfigured DNS from Webex ?
Kind regards
Hans
—
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net<mailto:dns-operations at lists.dns-oarc.net>
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-operations mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190613/0d48ade0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 39187 bytes
Desc: image001.png
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190613/0d48ade0/attachment.png>
More information about the dns-operations
mailing list