Internet wide DNS scanning

Published: 2013-10-17
Last Updated: 2013-10-17 16:06:18 UTC
by Adrien de Beaupre (Version: 1)
9 comment(s)

We have received a request from a research group to let everyone know that they will be conducting Internet wide scanning of DNS servers. This is their request:

"Our team at the Network Architectures and Services Dept. (I8) of TU München, Germany, has started a DNS scan. This has similar goals as the scans that we have conducted for SSL and SSH in the past months. Once again, the purpose is purely scientific. The scanning machine is 131.159.14.42. We are querying DNS servers to resolve host names. We do not in any way try to compromise the servers. Additionally, the load caused by our activities should be very low on a single server. The idea of our queries is to get a better understanding of the inner workings of DNS, one of the most ubiquitous protocols of the Internet. We would it appreciate it very much if you added a comment in your database. Please note that we respond to every complaint and are happy to blocklist systems with annoyed admins." 

Their purpose is scientific research. Interesting, I call scanning without permission unethical, and rude. Here is what I recommend if you do not want to be part of the research, that you block all DNS requests from that IP address. They have performed similar SSH and SSL scans in the past, from different IP addresses. What do you think? Let us know via our Contact Us page or in comments below.

Let's be careful out there!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

Keywords: dns scanning
9 comment(s)

Comments

"Interesting, I call scanning without permission unethical, and rude."
Yes that's very interesting:)
Utilizing TCP/IP for it's intended purpose is hardly unethical. If you don't want everyone on the internet probing your DNS then simply restrict the port. If you attach a computer to the internet, start a service that binds a TCP/IP port and then listens for remote connections on that port, you can hardly be incensed about, or pass ethical judgment, on the packets that show up.
Amen
I was hit by these losers a couple years ago, and they've been on my blocklist ever since. Screw them and their BS research.

Institut fuer Informatik der TU Muenchen - Germany (malicious scanning)
188.95.234.0/24
131.159.0.0/16
"Interesting, I call scanning without permission unethical, and rude."

Agree. Aren't Europeans supposed to be better mannered w/ respect to privacy and so forth? Or are they just pretenders that go after big stories/deep pockets like Google, Microsoft, etc.
"Utilizing TCP/IP for it's intended purpose is hardly unethical. If you don't want everyone on the internet probing your DNS then simply restrict the port. If you attach a computer to the internet, start a service that binds a TCP/IP port and then listens for remote connections on that port, you can hardly be incensed about, or pass ethical judgment, on the packets that show up."

So if I leave my keys in my car and the doors aren't locked, it's OK to drive it away?
Ignoring the ethics, here's someone who has recently done the same: http://blog.erratasec.com/2013/09/im-scanning-udp53-right-now.html
"Utilizing TCP/IP for it's intended purpose is hardly unethical. If you don't want everyone on the internet probing your DNS then simply restrict the port. If you attach a computer to the internet, start a service that binds a TCP/IP port and then listens for remote connections on that port, you can hardly be incensed about, or pass ethical judgment, on the packets that show up."

"So if I leave my keys in my car and the doors aren't locked, it's OK to drive it away? "

I largely agree with the "Utilizing TCP/IP for it's intended purpose is hardly unethical..." comment.

My car is private property, whereas publicly addressable DNS is intentionally a service on the internet intended to be broadly, if not universally, available to anyone else on the internet to query.

That said, whether or not the "research" falls under the intended purpose of making one's DNS available is to me the question at hand. One could quite easily argue that such "research" probing is not within the intended purpose of making one's DNS available, particularly if it attempts to perform rather invasive probing. This seems to me a decision to be left up to each DNS owner.

TG
I don't think your comparison is the same. If you drive your car to a public parking lot, anyone has the right to look at it, look in the windows, write down your license plate number, make, model, type of tires, take a picture if it, etc. No one has the right to enter it uninvited, cause damage, wait for you to show up and steal your purse/wallet, etc. Scanning Internet attached devices is like looking at the cars in the parking lot.

Diary Archives