Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: CSAM - Why am I seeing DNS Requests to IANA.ORG in my Firewall Logs? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CSAM - Why am I seeing DNS Requests to IANA.ORG in my Firewall Logs?

As part of Cyber-Security Awareness month, one of our readers sent us an extract from their firewall logs.  The events of interest where a regular pattern of internal hosts making DNS requests to a few hosts at iana.org.

So in other words, thousands of outbound DNS Requests to internet hosts that aren't in any DNS or DHCP configuration inside the organization.  What gives?

After a bit of searching, we found our answer in RFC6304 and RFC6305, also http://support.microsoft.com/kb/259922. I especially like RFC6305's title - "I'm Being Attacked by PRISONER.IANA.ORG!"

In plain english, when you don't have reverse DNS zones set up for your internal subnets, each individual workstation will attempt to register their reverse entry with these hosts at iana.  It's just part of how DNS is architected, it's not specific to any one operating system vendor (so it's not "a windows thing").

The solution?  Configure reverse DNS zones for each zone inside your organization. 

While reverse DNS zones have great applications for penetration testers, they are also *very* desirable for a lot of "legit" reasons:

  • It helps you identify hostnames from ip addresses that might show up in your firewall and other logs (this is a big one)
  • It helps in defining Active Directory "Sites", which will in turn allow you to optimize Domain Controller type queries.  For instance, creating sites for each remote office location in an organization will allow workstations to authenticate to domain controllers in their local office, rather than chewing up WAN bandwidth to authenticate against Domain Controllers at head office.

What other "sysadmin" uses do you routinely use reverse DNS for?  Please let us know using our comment form.

===============
Rob VandenBrink
Metafore

 Rob VandenBrink

542 Posts
ISC Handler
Oct 18th 2013
Subscribe Oct 18th 2013
6 years ago
Create empty rDNS zones for bogons that you *aren't* using as well, thus being a good netizen and not making useless DNS queries to the root servers.

http://www.team-cymru.org/Services/Bogons/
 Anonymous
Quote Oct 18th 2013
6 years ago

Sign Up for Free or Log In to start participating in the conversation!