Skip to content

Tag Archives: DNS

Fingerprinting DNS clients: Source Ports

One interesting behaviour with DNS-clients is source port selection. I did 15.000 Queries via different DNS-Proxies and plotted the source ports of this queries. Compare the results:

For MaraDNS the observed Portrange was (15000, 19095), for dnscache it was (1025, 65534).

If this was audio equiment, I would praise dnscache for its much better dynamic range :-)

Besides that. If you got lot’s of queries from a single IP and they are all in the Range (15000, 19095) there is a high probablitiy that you are seeing MaraDNS.

Addendum:

Semes I picked the mmost interesting DNS Servers. With PowerDNS and BIND I saw all queries from the same source ports. What is interesting thus, is the fact that PowerDNS chooses a somewhat unusual port (16807). I have to check the source to understand why it does so.

Posted 22 January 2006 mdornseif § Uncategorized Comments (3) ° Also tagged:

DNS: Somebody else answering

When doing DNS Queries I expect something like this: I send a UDP packet from dome random high port (let’s assume 44444) to an DNS-server’s port 53 and get back an UDP packet from port 53 to 44444.

But seemingly in about 1.2% of the cases I get the answer back from another port. Ports arround 1024, 10000 and 50000 dominate there.

I have no idea what that means. Especially since this answers wouldn’t arrive at my machine at all if I had statefull filtering in place.

Posted 21 January 2006 mdornseif § Uncategorized Comments (1) ° Also tagged:

Half the World wants IPv6?

I asked 500 or so random nameservers on the internet to give me ANY (not ALL) record on the name ‘localhost’ they had at hand.

To my great suprise aboult half of them returned an IPv6 answer. The graph above shows the returned resouce records. Keep in mind that vor IPv6 I never got back more than one Record but for IPv4 I often got 13 records for the 13 nameservers.

I expected to get back 127.0.0.1 in 95% of the cases but got this:

 214 AAAA '::1'
  63 A    '127.0.0.1'
  16 A    '192.58.128.30'
  15 A    '198.41.0.4'
  15 A    '192.5.5.241'
  15 A    '192.33.4.12'
  15 A    '128.8.10.90'
  14 A    '192.203.230.10'
  14 A    '192.112.36.4'
  14 A    '168.126.63.1'
  14 A    '128.63.2.53'
  13 A    '202.12.27.33'
  13 A    '198.32.64.12'
  13 A    '193.0.14.129'
  13 A    '192.36.148.17'
  12 A    '192.228.79.201'
   6 A    '62.251.0.6'
   6 A    '193.212.1.10'
   4 A    '211.14.194.250'
...
Posted 21 January 2006 mdornseif § Uncategorized Comments (1) ° Also tagged:

Learning from my referrers

Deutsche Bank offers a nice case study on intelligence gathering in Times of the Interweb. I have written a tutorial on informmation gathering via DNS and the Web.

Looking for an interesting target to showcase, Deutsche Bank came to mind. Big, international company, complex interactions with other companies. They also sprang to mind because they just recently pissed of the german security researcher scene. (If some Deutsche Bank Techies are reading this: please get your Press Officer a Briefing on how to deal with security researchers. And that yelling at people makes iTAN not a bit more secure.) So they where present as unfriendly, complex, big company.

I published the tutorial in the relatively obscure teenage mutant ninja hero coders weblog. Two days later I saw referrers from http://lin02-crm.de.db.com:8180/n4e100.

That’s within Deutsche Bank’s DNS-Space, and is notable in several respects:

First how did they find out so fast? It is not that anybody except a few friends care about that blog? Maybe somebody has a google email notification subscription for “deutsche bank” – but wouldn’t that mean lot’s of email every day? Somewhat strange.

Let’s check lin02-crm.de.db.com:

md@hextatic ~$ dig lin02-crm.de.db.com
[...]
;; ->>HEADER<>HEADER<>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28064

So the name lin02-crm.de.db.com is unknown to the Internet in general. Also the domain de.db.com is unknown. We can conclude that 1) Deutsche Bank uses Split-Horizon DNS. 2) Deutsche Bank organizes it’s internal DNS countrywise. 3) They run some kind of Portal, blog or whatever on lin02-crm.de.db.com where a link to my weblog is posted 4) Good Guess that this machine is running on one of two Linux machines. 5) They have a flat DNS structure within their German domain or the link was posted on a central(ized) server (I doubt that).

All that found out, without checking a single logfile …

Interesting that Deutsche Bank uses Split Horizon DNS but no referrer scrubbing.

Posted 22 November 2005 mdornseif § Uncategorized Comments (0) ° Also tagged:

PTT – the Pen Testing Toolkit

I was planning to release the Pen Testing Toolkit at IT-Underground Berrlin but since this conference is canceled, It’s time top put it on the Web without to much fanfare.

It is very much a work in progress. It is a toolkit, not a process.

That said, I have written a short tutorial series on using it:

* Installation
* DNS-Bruteforcing
* Web-Harvesting

Posted 22 November 2005 mdornseif § Uncategorized Comments (0) ° Also tagged:

Fun with DNS: The top 75 global companies?

The DNS protocol contains a command called AXFR which requests a so called ‘zone transfer’ where a nameserver sends you the complete content of one of its databases -meaning a list of all hosts and subdomains. Zone transfers are nowadays usually blocked. One of the reasons is that a zone transfer might give you interesting insights into a companies structure. An other issue is that the contents of the zone itself can be considered ’secret’ information of you see DNS not as an infrastructure service, but a speculation target.

Back in 1997 or so we did a lot of zone transfers for top-level domains to see what’s out there. But nowadays all TLD servers would have AXFR disabled for sure. Using a simple command line I checked:

curl http://svn.23.nu/svn/repos/ptt/databases/iso.txt \
 http://svn.23.nu/svn/repos/ptt/databases/tlds.txt \
 | sort -u | grep -v '#' | xargs -n 1 dig NS \
 | grep -v ';;' | sort -u | grep -v 'SOA' | grep "NS" \
 | perl -npe 's|(\S+).*NS\t(.*)|dig AXFR $1 \@$2|' \
 | grep -v ';' | sort -ru > /dev/null | sh | tee axfr.txt

It turns out a lot TLDs allow AXFR. I was able to get the zone contents for the following 78 TLDs:

ad, af, ag, al, an, ao, aq, ba, bf, bg, bi, bj, bm, bn, br, bs, bt, cl, cm, cv, cx, es, fm, gb, gs, in, kh, km, kn, ky, kz, lc, lk, ma, mc, mn, ms, mu, museum, mz, na, ne, ng, ni, np, oz.au, pe, pg, pk, pn, py, sg, sj, sk, sm, sn, sr, st, sz, tc, td, th, tj, tl, tm, to, tr, tt, ua, ug, uk, uy, uz, ve, vg, vi, ye, za, zw.

All in all that where 613132 domain names. The bold TLDs are the ones which contained lots of them.

Is there a issue? Should TLD operators give out all of there records? Is there a privacy issue?

some of the more interesting ones:

gb.  TXT  "Domain names for United Kingdom go under .uk"
gb.  TXT  "For details see the web page on:  www.nic.uk"
gb.  TXT  "This domain is frozen and will be phased out"

Lacoste an educational Institution?

lacoste.edu.lk.  TXT  "La Chemise Lacoste"

In BN nobody except the crownprince and the royal wedding are allowed to have their own domains.

Some people are actually using the HINFO resource record:

ns.ni. HINFO "PENTIUM III" "LINUX 2.0"

And then there are lots of entries I really don’t understand like:

1-062005-dns-xml-withwebforwarding-url-mask.GS

Let’s see what are the most popular domainnames. If we leave out things like nic etc. we get this:

  86 pwc
  79 pricewaterhousecoopers
  79 ciscosystems
  78 cisco
  72 toshiba
  70 fujitsu
  69 epson
  66 shell
  65 canon
  64 rolex
  63 microsoft
  61 mastercard
  60 register
  60 hotmail
  59 yahoo
  59 creditsuisse
  58 xboxlive
  58 verizon
  58 nissan
  57 whirlpool
  57 sms
  57 kitchenaid
  57 credit-suisse
  57 bankofamerica
  57 amazon
  57 3m
  56 visa
  56 msn
  56 morganstanley
  55 xbox
  55 walmart
  55 walmart
  55 sams-club
  55 sams
  55 discovery
  55 bmw
  55 3mcompany
  54 wal-mart
  54 tonline
  54 tcom
  54 t-online
  54 sun
  54 sony
  54 samsclub
  54 hitachi
  54 google
  53 t-systems
  53 t-mobile
  53 t-com
  53 morgan-stanley
  52 tsystems
  52 tmobile
  52 syngenta
  52 philips
  52 nokia
  52 emc
  52 deutschetelekom
  52 deutsche-telekom
  51 walmartstores
  51 wallmart
  51 wal-martstores
  51 volvo
  51 royaldutchshell
  51 rolls-royce
  51 expedia
  51 discoverychannel
  51 cnn
  50 thawte
  50 telekom
  50 sprint
  49 tgroup
  49 t-group
  49 samsclubs
  49 sams-clubs
  49 rollsroyce

Does this mean PriceWaterhouseCoopers ist the most global comany, because it’s name is registered in the most TLDs?

Posted 08 October 2005 mdornseif § Uncategorized Comments (0) ° Also tagged:

SCO MyDoom migration

Joat wonders if SCO would be liable if they hadn’t disappeared from the net to get into hiding from the mydoom attack. I don’t see how they could be.

Also as I understand Joat he is angry about SCO for simply deleting www.sco.com instead of pointing it to the IP-address 127.0.0.1 which usually means the no specific host on the Internet but the computer itself which is trying to initiate communication; implying that not doing so means higher costs for ISPs all around the world.

There is a simple reason for them doing so: serving unroutable IP-addresses like 127.0.0.1 via the public DNS is illegal. At least that’s what I read from the standards and that’s what Vinton Cerf confirmed when I asked for peer review on this issue. Using 127.0.0.1 can generate all kinds of trouble – some of them are outlined in this paper – and SCO was smart to avoid this and shy away from possible legal exposure in doing so.

Posted 02 February 2004 mdornseif § Uncategorized Comments (1) ° Also tagged:

My paper on DNS forgery has been finally published on paper

Posted 16 December 2003 mdornseif § Uncategorized Comments (0) ° Also tagged: