Strange DNS info


#1

Hi,

I have a Peplink Balance 580 that I use as my edge router for my network. It is configured with two WAN connections. I have recently been working with a cybersecurity firm which is analyzing my outbound traffic. They are doing this by capturing my DNS traffic. I have configured the outbound DNS resolution under both my WAN connections (Network>>>WAN>>>Connection Name>>>Static IP Settings>>>DNS servers) to use the cybersecurity firms DNS server as the secondary DNS server.
The problem is that when they analyzed the traffic after a day, it came back with very odd results:

08-Feb-2017 02:17:35.898 client www.xxx.yyy.zzz#8080 (1804289383.localhost): query: 1804289383.localhost IN A + (192.168.17.198)

It always shows that 192.168.17.198 as the last number, never showing what the queried web address/IP is. Can someone explain this?


#2

My guess is that the 1804… is your telephone line associated with one of your WANS. The IP address is most likely your internal Natted IP. Www.xxx.yyy.zzz is probably the name server that filled the request.

If they are listed as your secondary DNS, they are only getting traffic when a client specifically uses it. Most clients are only going to use the secondary DNS if the primary is unresponsive.

You can also set up a syslog server and log DNS queries/responses for the entire network.

Hope this helps.


#3

Thanks for your reply. I wish someone from Peplink would monitor these boards and answer questions about their devices. Unfortunately, these logs are unintelligible. I have 192.168.17.198 network in my environment. I have no such IP configured on the Peplink. The 1 804 289 383 isn’t a phone number. We have enterprise grade WAN connections. No phone # associated with them as far as I know. I will dig further. Thanks for your response, though!


#4

I did a quick search and found this http://forum.modrewrite.com/viewtopic.php?t=942&sid=17dfcdedbefc9e30564ec56d4e42d478

Do you have an Apache web server by chance? Does the security firm?

Since the logs came from the security firm, they would be the ones to provide an explanation of the log formatting (what fields are what). Are there any “typical” results that you can compare this result to? My guess is that some kind of rewrite led to an unresolvable hostname. That is what triggered the request to go out your secondary DNS channel. Have you tried reversing your DNS servers so that the security firm goes first in the list? It could also be your ISP doing some redirection for DNS traffic.

Hope this helps. I would suggest opening a ticket if the forum doesn’t give you the answers you are looking for. My guess is that the Peplink folks would want to use RA and have you try to recreate the issue so they can grab a diagnostic report.


#5

Since you have opened ticket, we will check and follow up there.