[dns-operations] what's ongoing with WEBEX and dot queries

Mayer Hans Hans.Mayer at iiasa.ac.at
Thu Jun 13 07:44:35 UTC 2019


Hi Joelle,

Of course I checked what our DNS servers are doing for such a query. They are doing the same as they are doing always if asking for a domain out of our scope and IP range. The server is replying with status: REFUSED.

In the meantime I had some e-mail dialog with Cisco. Without giving me details they mentioned there was an issue with a third party product GSLB/ADNS. In any case this mystery stopped since two days.


// Hans

--



From: Joelle Maslak <jmaslak at antelope.net>
Sent: Sunday, June 9, 2019 1:09 AM
To: Mayer Hans <Hans.Mayer at iiasa.ac.at>
Cc: dns-operations at lists.dns-oarc.net; Eder Norbert <eder at iiasa.ac.at>; Undercoffer Joe <joseph.undercoffer at iiasa.ac.at>
Subject: Re: [dns-operations] what's ongoing with WEBEX and dot queries

Do you respond to these queries with a large response (you might want to check).  If you do, it may be a forged source packet asking for . so that your server sends a large "response" to WebEX, amplifying the bandwidth of the attacker.

On Sat, Jun 8, 2019 at 1:49 PM Mayer Hans <Hans.Mayer at iiasa.ac.at<mailto:Hans.Mayer at iiasa.ac.at>> wrote:

Dear All,

Since 2019 06 05 around 10:00 UTC I see a much higher number of queries to our name servers for top level dot (.)
This happened before too from anywhere but with an amount of queries of 5 to 10 times per day. Now we are in a range of average 2000 queries per hour up to 7200 queries per  hour.

[cid:image001.png at 01D521CB.DFC70EE0]

Interesting is that only one of our  4 DNS server is used for these queries.

All these remote IP’s are coming from WEBEX. A reverse lookup ends with something.webex.com<http://something.webex.com>
The geo-locations are limited to 4 destinations
US, San Jose
Netherlands
Repulic of Singapore, Singapore
China, Beijing

Did anyone else register this obviously misconfigured DNS from Webex ?


Kind regards
Hans

—


_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net<mailto:dns-operations at lists.dns-oarc.net>
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-operations mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190613/0d48ade0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 39187 bytes
Desc: image001.png
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190613/0d48ade0/attachment.png>


More information about the dns-operations mailing list