.

DNS Allocation Problem

<<

snouto

Newbie
Newbie

Posts: 7

Joined: Sat Feb 16, 2008 5:51 pm

Post Fri Feb 22, 2008 3:32 am

DNS Allocation Problem

Hello My friends  , i would like to post my problem here.

yesterday i was playing with intelligence gathering , i was trying to get the DNS of my target with this unix command

bt~# dig mytarget.com

mytarget.com                          A                  its ip address

but each time i execute this command , it returns for me each time a new ip address even when i try to extract its mail exchanger it gives each time a new domain like the following

bt~# host -t mx mytarget.com


so , does this target operates using load balancers in place ?????? which changes the ip address or what is the problem which changes the ip address continuousely .

NOTE: one from the ip addresses returned , i searched for it in MSN LIVE search and it points to many domains (so i think it is shared hosting).


why the ip address changes continousely ??????
<<

dean

Post Fri Feb 22, 2008 12:22 pm

Re: DNS Allocation Problem

Hi Snouto,

It sounds like you're running into DNS round-robin aslo known as a fast-flux service network. This allows a single domain name to have thousands of IP addresses assigned to it. Generally the TTL of the RR is set to be very short and so a look up would return a new IP address nearly every time. This is legitimately used for load-balancing web-servers.

This technique has been adopted by bot herders to maintain their botnets and make it next to impossible to take them down. The storm/cme-11 botnet uses this and other techniques to stay up.

http://www.honeynet.org/papers/ff/fast-flux.html

I'm not sure if the domain you are researching is a malicious one or not but here is a little script I wrote a while back to run continuous lookups of an domain name and show the geographic location of the IP. You will need to install the required perl modules for it to work.

  Code:
#!/usr/bin/perl -w

#################################################
# Script to track fastflux dns network.
# Shows a very approximate geographical distibution
# Usage: perl lookup.pl -exec
#################################################

use strict;
use warnings;
use IO::Socket;
use Geo::IP;

my ($target, @ipaddr, $nullip, $lastip, $reverse, $geoip, $country, $hostname);
# List all domain names to be tracked here.
my @domains = qw(example1.com example2.com example3.com);
my $file = "data.txt";
my $j = 1;

if (! $ARGV[0] or $ARGV[0] ne "-exec") {
   print "Usage: perl $0 -exec\n";
   print "You need to explicitly tell the script to run with \'-exec\'\n";
   exit;
}
print "Check of all domains is now running...Use CTRL-C to Quit.\n";
# Really bad way to make sure the initial check for dublicate IPs doesn't return an error.
$nullip = "0.0.0.0";
push(@ipaddr, $nullip); # Store in array.
while () {
foreach $hostname (@domains) {                   # Cycle through each domain.
    open (FH, ">>$file") || die "error opening or creating file:$!\n";

    $target = inet_ntoa(inet_aton($hostname) || 0.0.0.0);
    $lastip = pop(@ipaddr);                  # Store in array.
    # Perform reverse lookup. This is to see what the IP actually resolves to.
    $reverse = gethostbyaddr(inet_aton($target), AF_INET) || "Unknown";

        if ($target eq 0.0.0.0) {
           print "No IP!!!";
        }
        elsif ($target eq $lastip) {
            print "No change to A record.\nCurrent record is : $lastip\n\n";
            push(@ipaddr, $target);
            }
            elsif($target ne $lastip) {
                push(@ipaddr, $target);

                $geoip = Geo::IP->new(GEOIP_STANDARD);
                $country = $geoip->country_name_by_addr($target) || "Unknown"; # if country is undefined then print "Unkonwn!"

                open (FH, ">>$file") || die "error opening or creating file:$!\n";
             print FH "($hostname)$country | $target => $reverse\n";
             close (FH);
           }
        sleep (2); # wait 2 sec. Change lookup frequency here.
        }
    }
exit;


cheers,
dean
<<

shawal

Jr. Member
Jr. Member

Posts: 88

Joined: Mon Mar 10, 2008 1:24 pm

Post Mon Mar 10, 2008 3:39 pm

Re: DNS Allocation Problem

Snouto,
Dean's answer is very informative, what i can add is the following did you try http://www.robtex.com/dns/ ? i have found it very useful in information gathering (passive phase) when it comes to DNS and ips interogation/search

take care
RHCE, GIAC GCIH.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 929

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Mar 11, 2008 9:31 am

Re: DNS Allocation Problem

Dean,

nice script, thanks for sharing ;D
<<

LSOChris

Post Tue Mar 11, 2008 2:13 pm

Re: DNS Allocation Problem

wins a prize and still contributes...thats good stuff
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Thu Apr 17, 2008 3:35 pm

Re: DNS Allocation Problem

Hi,

This post is a bit old so 'm not sure if it still relevant to you, but a nice tool to confirm your details of shared hosting is the "hostnames on IP" under Nameserver on www.serversniff.net

Regards

SynJunkie
----------------------------------
http://synjunkie.blogspot.com

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software