What (Besides NXDOMAINs) Do We See on Farsight Security's DNS Errors Channel?
Introduction
When a DNS query gets made, the Domain Name System returns a response code as
part of its response. Those response codes can be zero (indicating that
NOERROR occurred), or non-zero (indicating that a problem of some sort
occurred).
The most common error code, and the one that most people typically are
interested in, is NXDOMAIN, or “this domain does not exist.” On a typical
day, 1/2 or more of all DNS Errors are NXDOMAINs. NXDOMAINs are so common
(and so interesting to our customers!) that Farsight has even created a special
Security Information Exchange (SIE) channel devoted exclusively to efficiently
sharing NXDOMAIN traffic, Channel 221. However, NXDOMAIN responses are
not the only sort of domains we see, and this article is NOT about NXDOMAINs
and Channel 221. This article is about all the other DNS response codes,
instead, as shared in detail on Security Information Exchange Channel 220,
Farsight’s “DNS Errors” channel.
Looking at 10 million observations drawn from Channel 220 in late January 2016, we saw a distribution of non-zero response codes that looked like:
4,899,244 NXDOMAIN (49.0%)
3,956,941 REFUSED (39.6%)
1,092,162 SERVFAIL (10.9%)
31,247 FORMERR (0.3%)
20,295 NOTIMP (0.2%)
63 NOTAUTH (<0.1%)
43 NXRRSET (<0.1%)
5 {UNKNOWN} (<0.1%)
Clearly, once you get past NXDOMAINs, most of what we see in the way of DNS
Errors consists of just two response codes: REFUSEDs, and SERVFAILs. (We
will not consider the remaining obscure/infrequently seen response codes in
this article).
REFUSEDs
Some DNS servers may be configured to only return an answer for a given zone
for select query sources. For example, queries for an intranet-only domain might
only be answered IF those queries originate from within that intranet, getting
REFUSED if originating from anywhere else.
If we drill down and look at the domains associated with a big batch of
REFUSEDs, we can find domain names that are generating a disproportionate
number of REFUSED errors. In this case, when we look at a sample of
10,000,000 observations from Channel 220, there were 188,191 different
REFUSED FQDNs seen. The set of unique REFUSED FQDN observations were then
processed by:
- Sorting and aggregating by FQDNs
- Sorting (in descending order by count, with an arbitrary threshold of 10,000 observations) per aggregated FQDN
- Clumping related FQDNs together
- Excluding hits for in-addr.arpa
- Anonymizing the hash values of the hits seen for
testflightapp.com
The output from that process highlights a number of services/products that are plugging away, apparently attempting to repeatedly connect to no-longer-available services. Particularly noteworthy are a number of names related to Kodi, the video player application. See the footnotes associated with many of the domain names below.
201596 shadowsrepo.info.¹
171567 dell-alive.singleclicksystems.com.²
148688 dell-alive2.singleclicksystems.com.
145870 dell-alive3.singleclicksystems.com.
143957 dell-alive4.singleclicksystems.com.
23070 isp.singleclicksystems.com.
17395 alive.singleclicksystems.com.
13978 alive3.singleclicksystems.com.
13800 alive2.singleclicksystems.com.
109554 pixel.fetchback.com.³
10675 a2.fetchback.com.
79235 akamai.hearst.tv.
66384 aaarepo.xyz.⁴
53239 www.economicnews.ca.⁵
32320 [snip]6da8.sdk.testflightapp.com.⁶
26156 sdk.testflightapp.com.
25416 [snip]f6ee.sdk.testflightapp.com.
21580 [snip]b840.sdk.testflightapp.com.
20668 [snip]1037.sdk.testflightapp.com.
19232 [snip]9b3f.sdk.testflightapp.com.
14954 [snip]875c.sdk.testflightapp.com.
11724 [snip]ab97.sdk.testflightapp.com.
11106 [snip]fcec.sdk.testflightapp.com.
10978 [snip]c71a.sdk.testflightapp.com.
10784 [snip]49e5.sdk.testflightapp.com.
10373 [snip]e9c0.sdk.testflightapp.com.
[etc]
27823 repo.gosub.dk.⁷
24933 qdc-dns.qdx.com.
19785 service.sellathon.com.⁸
18139 apple.comscoreresearch.com.⁹
12447 shadowcrew.info.¹⁰
[remaining all less than 10,000 hits per label]
Next we’ll take a look at the FQDNs most commonly returning SERVFAIL
response codes.
SERVFAILs
When we look at SERVFAIL codes, we see a somewhat different pattern. Volumes
per FQDN are lower, and many of the SERVFAIL response codes appear to be
related to background-running autoconfiguration- or infrastructure-related
services such as ISATAP¹¹, WPAD¹², LDAP¹³, NLS¹⁴, etc. These may be symptomatic of corporate devices used outside the corporate intranet without a virtual
private network (VPN) solution.
Other major SERVFAIL-related FQDNs are associated with companies that are
many-years-idle, but which are still being queried by old, old applications.
This is an excellent demonstration of why every Internet protocol should
include a mechanism for declaring that a server is end-of-life and should no
longer be queried. Selected text in the following FQDNs is bolded to
highlight the likely role of those servers or the base domain involved.
99573 idcs.interclick.com.¹⁵
69364 px.gs.interclick.com.
45578 a1.interclick.com.
11682 osmdcs.interclick.com.
9334 3.g.interclick.com.
70323 livedata.turner.com.¹⁶
10167 isatap.wernerds.net.¹⁷
2979 wpad.wernerds.net.
1288 HQ-EPO02.wernerds.net.
4461 wpad.ingdirect.com.
4379 rmx.us.musichub.com.¹⁸
4111 shorevoice.dmsinet.com.¹⁹
3741 Dmsixutl.dmsinet.com.
3692 DMSISVCS01.dmsinet.com.
3265 wpad.dmsinet.com.
1634 DMSIPRT1.dmsinet.com.
3164 akrprt01.eng-prod.com.²⁰
1210 _ldap._tcp.dc._msdcs.dmsinet.com.
3055 isatap.auth.hpicorp.net.²¹
2977 nls.datunnel.hpicorp.net.
1931 radiacm.glb.itcs.hpecorp.net.²²
2807 wpad.na.odcorp.net.²³
1569 _ldap._tcp.US10012ODVPN._sites.dc._msdcs.na.odcorp.net.
1225 proxypac.na.odcorp.net.
1171 USCHCORPAV01.na.odcorp.net.
2618 wpad.oai.olympusglobal.com.²⁴
1033 _ldap._tcp.dc._msdcs.OAI.OLYMPUSGLOBAL.com.
2581 wpad.global.bcecorp.net.²⁵
2093 wpad.vnuusa.org.²⁶
[remaining all less than 2000 hits per label]
Conclusion
You’ve now gotten a brief taste of some of the error codes that SIE users see from the SIE DNS Errors Channel. In an article this brief, we were only able to scratch the surface of what’s in the DNS Errors Channel, but there’s lots more there including information potentially related to your users and your domains. Isn’t it be worth knowing what’s happening when it comes to YOUR domains? Or perhaps you’re a grad student researcher looking for a potentially fascinating thesis or dissertation topic?
If you’re interested in exploring the DNS Errors Channel in more detail, please contact Farsight Sales at [email protected] or complete the web form at https://www.farsightsecurity.com/order-services/
Endnotes
¹ https://www.youtube.com/watch?v=WLUz4E21A3Q
Not familiar with Kodi? See https://en.wikipedia.org/wiki/Kodi_%28software%29 See also: https://torrentfreak.com/when-piracy-gets-too-easy-expect-a-big-response-150620/ and http://cordcuttersnews.com/comcast-starts-issuing-copyright-infringement-notices-to-kodi-users/
² “SingleClick Systems CEO draws five-year prison sentence for scamming investors,” http://www.zdnet.com/article/singleclick-systems-ceo-draws-five-year-prison-sentence-for-scamming-investors/
³ https://www.crunchbase.com/organization/fetchback#/entity says “Status: Acquired by GSI Commerce on June 1, 2010” Following the link to GSI Commerce, https://www.crunchbase.com/organization/gsi-commerce#/entity “Status: Acquired by eBay on June 20, 2011”
⁴ Another Kodi-related domain, apparently, see https://www.facebook.com/permalink.php?story_fbid=1624231054458594&id=1417695461778822
⁵ See http://archive.is/www.economicnews.ca and http://www.alexa.com/siteinfo/economicnews.ca
⁶ “TestFlightApp.com is Going to Shut Down Next Month,” Jan 28, 2015
http://www.infoq.com/news/2015/01/testflightapp-shuts-down
⁷ Apparently another Kodi-related site, see http://xbian.org/forum/thread-448.html
⁸ Apparently a product of Auctiva, see https://en.m.wikipedia.org/wiki/Auctiva
⁹ See https://en.wikipedia.org/wiki/ComScore
¹⁰ Apparently another Kodi-related site, see: http://kodim3u.com/tag/shadowcrew-httpshadowcrew-infoshadows/
¹¹ https://en.wikipedia.org/wiki/ISATAP
¹² https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol See also “Finding Web Proxy Auto Discovery Protocol (WPAD)-related Security Exposures Using Farsight Security’s NXDOMAINs Channel“
¹³ “SRV Resource Records,” https://technet.microsoft.com/en-us/library/cc961719.aspx
¹⁴ “Network Location Server,” https://technet.microsoft.com/en-us/library/gg315317.aspx
¹⁵ https://www.crunchbase.com/organization/interclick#/entity says “Acquired by Yahoo! on November 1, 2011”
¹⁶ While livedata.turner.com generated SERVFAILs at one or more locations
covered by a Farsight sensor at the time this data was collected, when tested
from a reference host as part of investigating these domains, the host resolves
and the web site returns a 1×1 pixel image, presumably used for
tracking-related purposes:
$ dig livedata.turner.com
[snip]
livedata.turner.com. 60 IN A 157.166.249.67
livedata.turner.com. 60 IN A 157.166.239.38
livedata.turner.com. 60 IN A 157.166.238.237
livedata.turner.com. 60 IN A 157.166.248.175
The SERVFAILs may have been temporary, or associated with an attempt at
blocking trackers.
¹⁷ And the domain? wernerds=We-R-Nerds
¹⁸ http://www.androidcentral.com/samsung-shutting-music-hub-working-replacement-service
¹⁹ Domain appears to have ceased being used in 2008, see https://web.archive.org/web/*/http://dmsinet.com
²⁰ Domain appears to have ceased being used in 2005, see https://web.archive.org/web/*/eng-prod.com
²¹ HP, Inc
²² Also HP, Inc.
²³ Office Depot Corporation
²⁴ Olympus America, Inc
²⁵ Beckman Coulter Inc
²⁶ Nielsen Company
Joe St Sauver, Ph.D. is a Scientist with Farsight Security, Inc.
