Last Updated: 2013-10-02 18:42:15 UTC
by Johannes Ullrich (Version: 1)
As Adrien mentioned, we are trying to focus on "interesting" logs during October to celebrate "Cyber Security Awareness Month". For security professionals is is important to be aware of what your logs are trying to tell you. We are no looking for ground breaking new events, but just the "stuff you always wondered about what it meant".
I am starting today with a couple of DNS logs. If you haven't seen logs like this yet: You are not doing your job well protecting your network ;-)
I kept the logs as original as possible, but masked out a few IP addresses using "X" and some hostnames with 'example.com'.
1 - RFC 1918 Response
Oct 2 14:32:36 nsint named: client X.X.X.X#50873: RFC 1918 response from Internet for 22.214.171.124.in-addr.arpa
In this case, one of my internal hosts tried to reverse reolve the address 10.64.10.1. 10.0.0.0/8 is however reserved address space per RFC 1918, so this lookup just doesn't make much sense. The DNS server (named) is warning me about this lookup.
2 - FORMERR
Oct 2 14:16:01 nsint named: error (FORMERR) resolving 'ocsp.verisign.net/AAAA/IN': 126.96.36.199#53
One of my hosts tried to connect to ocsp.verisign.net. "OCSP" is a web service used to check if certifiates are valid. You will see connections to this host name from your browser as you visit some HTTPS sites. My network is dual stack, so hosts will attempt IPv4 (A) as well as IPv6 (AAAA) address lookups. Looks like Verisign doesn't support IPv6 and doesn't know what to do with AAAA queries so it is sending a format error (FORMERR) back. This caught my eye because of the security relevance of OCSP. But then again, there is nothing I can or have to do about this error.
3 - DHCP Dynamic Updates
Oct 2 14:27:25 nsint named: client X.X.X.X#38155: signer "dhcpkey" approved Oct 2 14:27:25 nsint named: client X.X.X.X#38155: updating zone 'example.com/IN': deleting an RR at laptop.example.com TXT
My DHCP server is configured to update DNS whenever it sees a new host. To authenticate and encrypt these updates, it uses a key (I call it "dhcpkey"). Since the request came from the DHCP server (masked IP address) and was approved, all is well and this is normal. I would be concerned if these requests get rejected and/or came from an IP address different then the DHCP server.
Here is a log entry for a denied update:
Oct 2 14:03:40 nsint named: client 10.5.0.254#53419: update 'lexample.com/IN' denied
In this case it turned out to be a misconfiguration of the respective zone. Remember: Watching your logs not only keeps attackers out, but also makes your network perform better!
4 - REFUSED
Oct 2 12:47:53 nsint named: error (unexpected RCODE REFUSED) resolving 'example.com/A/IN': 188.8.131.52#53
Here a name server I connected to to lookup example.com refused the query. Odd, as the domain was valid. Could be a misconfigured DNS server, or a network device (Anti-DoS?) interfering with the query.
Got any other DNS logs?