±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35755
New Yesterday: 5 Visitors: 122

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Weird hostname showing up in DHCP/DNS

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

tracedf
Senior Member
 

Weird hostname showing up in DHCP/DNS

Post Posted: Jan 29, 19 04:45

I need some suggestions as to the cause of the following:

Our network administrators noticed that some computer lab machines on our (college) network have hostnames like abc123.someplace.edu.au in our reverse DNS records (so this shows up in any program, e.g. Nessus, that looks up the IP). The machines are not configured with the names we're seeing and we are in the U.S., not someplace.edu.au.

I used dig and confirmed that our DNS server is the authority for our private 10.x.x.x addresses. I believe the PTR records are created automatically when a machine is assigned an address byDHCP. But, I can't figure out why our DNS server resolves this handful of 10.x.x.x. addresses to to someplace.edu.au domain.

The machines were rebooted by one of our techs so I don't have a memory dump. I did a search on one of the hard drives and the mysterious machine name (but not the someplace.edu.au domain) was present in three places inside hiberfil.sys.

I didn't see any strange programs in the Windows prefetch, no installed software that worried me, no malware, no strange accounts, no new service installations.

1) What would cause this behavior?

2) What should I look for when I load the hibernation file into Volatility? I'm not very experienced with Volatility but I have played around a little bit.

3) Anything else I should look for on the hard drive?  
 
  

athulin
Senior Member
 

Re: Weird hostname showing up in DHCP/DNS

Post Posted: Jan 29, 19 15:36

- tracedf
Our network administrators noticed that some computer lab machines on our (college) network have hostnames like abc123.someplace.edu.au in our reverse DNS records (so this shows up in any program, e.g. Nessus, that looks up the IP). The machines are not configured with the names we're seeing and we are in the U.S., not someplace.edu.au.


And those programs use only your internal name server? Directly? or is there some internal DNS first? They don't fallback to 8.8.8.8 or 1.1.1.1? And they don't have any local resolver overrides?

Have you repeated the issue from any other system. Or only from Nessus servers or such?

I used dig and confirmed that our DNS server is the authority for our private 10.x.x.x addresses. I believe the PTR records are created automatically when a machine is assigned an address byDHCP. But, I can't figure out why our DNS server resolves this handful of 10.x.x.x. addresses to to someplace.edu.au domain.


Are you the DNS manager? If not, that's very likely who you should ask. If you are, follow up on that 'I believe the PTR records ...' and convert the belief to knowledge.

What about DHCP manager?

To me, it sounds like it might be misconfigured resolvers. That should be easy to check and discard, however.

Or, perhaps, DNS cache poisioning. In the latter case, the problem is likely to go away after a cache clean. Or a DHCP name problem, that propagates to DNS -- in which case, inspection of the DHCP config.

The machines were rebooted by one of our techs so I don't have a memory dump. I did a search on one of the hard drives and the mysterious machine name (but not the someplace.edu.au domain) was present in three places inside hiberfil.sys.


I think I would expect that.

2) What should I look for when I load the hibernation file into Volatility?


Not sure why you ask? Why are you using Volatility? Have you formulated a hypothesis about what is going on, and use Volatility to test it?

3) Anything else I should look for on the hard drive?


If this a problem in DHCP or DNS, it may not even originate on the computer you're looking at. You need to find out what it is, then you can start tracing it.  
 
  

mattquick
Newbie
 

Re: Weird hostname showing up in DHCP/DNS

Post Posted: Jan 29, 19 16:56

DNS is inherently weak. DNS Infrastructure Tampering?
Do you have a DNS log analyzer?
Control access to Internal/External DNS servers? Windows? Use DNSSEC or have it enabled, Setup Secure Zone transfers
Checklist:
Change DNS Account Passwords (complex and unique passwords).
Update the passwords for all accounts on systems that can make changes to your DNS records.
Add Multi-Factor Authentication (MFA) to DNS Accounts

DNS Infrastructure Tampering - cyber.dhs.gov/ed/19-01/  
 

Page 1 of 1