How to track DNS resolution sources

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Dec 3 16:56:23 UTC 2014


On Wed, Dec 03, 2014 at 05:22:58PM +0100,
 Notify Me <notify.sina at gmail.com> wrote 
 a message of 13 lines which said:

> I hope I'm wording this correctly.

Not really :-)

> I had a incident at a client site where a DNS record was being
> spoofed.

How do you know? What steps did you use to assert this? Answers to
these questions would help to understand your problem.

> How does one track down the IP address that's returning the false
> records ?

If it's real DNS spoofing (which I doubt), the source IP address of
the poisoner is forged, so it would not help.

The main tool to use is dig. Let's assume the name that bothers you is
foobar.example.com. Query your local resolver:

dig A foobar.example.com

Query an external resolver, here Google Public DNS:

dig @8.8.4.4 A foobar.example.com

Query the authoritative name servers of example.com. First, to find them:

dig NS example.com

Second, query them (replace the server name by the real one):

dig @a.iana-servers.net. A foobar.example.com



More information about the NANOG mailing list