Weird hostname show...
 
Notifications
Clear all

Weird hostname showing up in DHCP/DNS

3 Posts
3 Users
0 Likes
1,139 Views
tracedf
(@tracedf)
Posts: 169
Estimable Member
Topic starter
 

I need some suggestions as to the cause of the following

Our network administrators noticed that some computer lab machines on our (college) network have hostnames like abc123.someplace.edu.au in our reverse DNS records (so this shows up in any program, e.g. Nessus, that looks up the IP). The machines are not configured with the names we're seeing and we are in the U.S., not someplace.edu.au.

I used dig and confirmed that our DNS server is the authority for our private 10.x.x.x addresses. I believe the PTR records are created automatically when a machine is assigned an address byDHCP. But, I can't figure out why our DNS server resolves this handful of 10.x.x.x. addresses to to someplace.edu.au domain.

The machines were rebooted by one of our techs so I don't have a memory dump. I did a search on one of the hard drives and the mysterious machine name (but not the someplace.edu.au domain) was present in three places inside hiberfil.sys.

I didn't see any strange programs in the Windows prefetch, no installed software that worried me, no malware, no strange accounts, no new service installations.

1) What would cause this behavior?

2) What should I look for when I load the hibernation file into Volatility? I'm not very experienced with Volatility but I have played around a little bit.

3) Anything else I should look for on the hard drive?

 
Posted : 29/01/2019 3:45 am
(@athulin)
Posts: 1156
Noble Member
 

Our network administrators noticed that some computer lab machines on our (college) network have hostnames like abc123.someplace.edu.au in our reverse DNS records (so this shows up in any program, e.g. Nessus, that looks up the IP). The machines are not configured with the names we're seeing and we are in the U.S., not someplace.edu.au.

And those programs use only your internal name server? Directly? or is there some internal DNS first? They don't fallback to 8.8.8.8 or 1.1.1.1? And they don't have any local resolver overrides?

Have you repeated the issue from any other system. Or only from Nessus servers or such?

I used dig and confirmed that our DNS server is the authority for our private 10.x.x.x addresses. I believe the PTR records are created automatically when a machine is assigned an address byDHCP. But, I can't figure out why our DNS server resolves this handful of 10.x.x.x. addresses to to someplace.edu.au domain.

Are you the DNS manager? If not, that's very likely who you should ask. If you are, follow up on that 'I believe the PTR records …' and convert the belief to knowledge.

What about DHCP manager?

To me, it sounds like it might be misconfigured resolvers. That should be easy to check and discard, however.

Or, perhaps, DNS cache poisioning. In the latter case, the problem is likely to go away after a cache clean. Or a DHCP name problem, that propagates to DNS – in which case, inspection of the DHCP config.

The machines were rebooted by one of our techs so I don't have a memory dump. I did a search on one of the hard drives and the mysterious machine name (but not the someplace.edu.au domain) was present in three places inside hiberfil.sys.

I think I would expect that.

2) What should I look for when I load the hibernation file into Volatility?

Not sure why you ask? Why are you using Volatility? Have you formulated a hypothesis about what is going on, and use Volatility to test it?

3) Anything else I should look for on the hard drive?

If this a problem in DHCP or DNS, it may not even originate on the computer you're looking at. You need to find out what it is, then you can start tracing it.

 
Posted : 29/01/2019 2:36 pm
(@mattquick)
Posts: 1
New Member
 

DNS is inherently weak. DNS Infrastructure Tampering?
Do you have a DNS log analyzer?
Control access to Internal/External DNS servers? Windows? Use DNSSEC or have it enabled, Setup Secure Zone transfers
Checklist
Change DNS Account Passwords (complex and unique passwords).
Update the passwords for all accounts on systems that can make changes to your DNS records.
Add Multi-Factor Authentication (MFA) to DNS Accounts

DNS Infrastructure Tampering - https://cyber.dhs.gov/ed/19-01/

 
Posted : 29/01/2019 3:56 pm
Share: