How to track DNS resolution sources

Notify Me notify.sina at gmail.com
Thu Dec 4 14:23:13 UTC 2014


Hi Nick and List

Yes it's possible. The dud DNS response in some parts of the internet was
the public IP address being used by their proxy server. I'm not sure what
the proxy is, but it's a windows box. I was going to try to dig trace but
by then the poisoning  suddenly stopped happening. Any other ideas on how
to deal with this ? What can I proactively do in case it happens again?

On Thursday, 4 December 2014, Nicholas Oas <nicholas.oas at gmail.com> wrote:

> Is it possible that your client site has a helpful firewall that is
> performing DNS doctoring?
>
> http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/dns-alg-nat-doctoring-overview.html
>
> The first time I encountered this neither myself nor my customer expected
> it. We upgraded the firewall and suddenly their external hostname
> resolution was coming back with internal IP addresses, as defined by the
> firewall's NAT table.
>
> Note this only really happens with NAT. If the spoofed records are
> internal its most likely something else.
>
> On Wed, Dec 3, 2014 at 11:22 AM, Notify Me <notify.sina at gmail.com
> <javascript:_e(%7B%7D,'cvml','notify.sina at gmail.com');>> wrote:
>
>> Hi!
>>
>> I hope I'm wording this correctly. I had a incident at a client site where
>> a DNS record was being spoofed. How does one track down the IP address
>> that's returning the false records ? What tool can one use?
>>
>> Thanks!
>>
>>
>>
>>
>> --
>> Sent from MetroMail
>>
>
>

-- 
Sent from MetroMail



More information about the NANOG mailing list