What (Besides NXDOMAINs) Do We See on Farsight Security's DNS Errors Channel?

Introduction

When a DNS query gets made, the Domain Name System returns a response code aspart of its response. Those response codes can be zero (indicating that

NOERROR

occurred), or non-zero (indicating that a problem of some sortoccurred).

The most common error code, and the one that most people typically areinterested in, is

NXDOMAIN

, or “this domain does not exist.” On a typicalday, 1/2 or more of all DNS Errors are

NXDOMAIN

s.

NXDOMAIN

s are so common(and so interesting to our customers!) that Farsight has even created a specialSecurity Information Exchange (SIE) channel devoted exclusively to efficientlysharing

NXDOMAIN

traffic, Channel 221. However,

NXDOMAIN

responses arenot the only sort of domains we see, and this article is NOT about

NXDOMAIN

sand Channel 221. This article is about all the other DNS response codes,instead, as shared in detail on Security Information Exchange Channel 220,Farsight’s “DNS Errors” channel.

Looking at 10 million observations drawn from Channel 220 in late January 2016,we saw a distribution of non-zero response codes that looked like:

4,899,244 NXDOMAIN (49.0%)
3,956,941 REFUSED (39.6%)
1,092,162 SERVFAIL (10.9%)
31,247 FORMERR (0.3%)
20,295 NOTIMP (0.2%)
63 NOTAUTH (<0.1%)
43 NXRRSET (<0.1%)
5 {UNKNOWN} (<0.1%)


Clearly, once you get past

NXDOMAIN

s, most of what we see in the way of DNSErrors consists of just two response codes:

REFUSED

s, and

SERVFAIL

s. (Wewill not consider the remaining obscure/infrequently seen response codes inthis article).

REFUSEDs

Some DNS servers may be configured to only return an answer for a given zonefor select query sources. For example, queries for an intranet-only domain mightonly be answered IF those queries originate from within that intranet, getting

REFUSED

if originating from anywhere else.

If we drill down and look at the domains associated with a big batch of

REFUSED

s, we can find domain names that are generating a disproportionatenumber of

REFUSED

errors. In this case, when we look at a sample of10,000,000 observations from Channel 220, there were 188,191 different

REFUSED

FQDNs seen. The set of unique

REFUSED

FQDN observations were thenprocessed by:

• Sorting and aggregating by FQDNs
• Sorting (in descending order by count, with an arbitrary threshold of10,000 observations) per aggregated FQDN
• Clumping related FQDNs together
• Excluding hits for in-addr.arpa
• Anonymizing the hash values of the hits seen for testflightapp.com

The output from that process highlights a number of services/products that areplugging away, apparently attempting to repeatedly connect tono-longer-available services. Particularly noteworthy are a number of namesrelated to Kodi, the video player application. See the footnotes associatedwith many of the domain names below.

201596 shadowsrepo.info.¹

171567 dell-alive.singleclicksystems.com.²
148688 dell-alive2.singleclicksystems.com.
145870 dell-alive3.singleclicksystems.com.
143957 dell-alive4.singleclicksystems.com.
23070 isp.singleclicksystems.com.
17395 alive.singleclicksystems.com.
13978 alive3.singleclicksystems.com.
13800 alive2.singleclicksystems.com.

109554 pixel.fetchback.com.³
10675 a2.fetchback.com.

79235 akamai.hearst.tv.

66384 aaarepo.xyz.⁴

53239 www.economicnews.ca.⁵

32320 [snip]6da8.sdk.testflightapp.com.⁶
26156 sdk.testflightapp.com.
25416 [snip]f6ee.sdk.testflightapp.com.
21580 [snip]b840.sdk.testflightapp.com.
20668 [snip]1037.sdk.testflightapp.com.
19232 [snip]9b3f.sdk.testflightapp.com.
14954 [snip]875c.sdk.testflightapp.com.
11724 [snip]ab97.sdk.testflightapp.com.
11106 [snip]fcec.sdk.testflightapp.com.
10978 [snip]c71a.sdk.testflightapp.com.
10784 [snip]49e5.sdk.testflightapp.com.
10373 [snip]e9c0.sdk.testflightapp.com.
​[etc]

27823 repo.gosub.dk.⁷

24933 qdc-dns.qdx.com.

19785 service.sellathon.com.⁸

18139 apple.comscoreresearch.com.⁹

12447 shadowcrew.info.¹⁰

​[remaining all less than 10,000 hits per label]


Next we’ll take a look at the FQDNs most commonly returning

SERVFAIL

response codes. 

SERVFAILs

When we look at

SERVFAIL

codes, we see a somewhat different pattern. Volumesper FQDN are lower, and many of the

SERVFAIL

response codes appear to berelated to background-running autoconfiguration- or infrastructure-relatedservices such as ISATAP¹¹, WPAD¹², LDAP¹³, NLS¹⁴, etc. These may be symptomatic of corporate devices used outside the corporate intranet without a virtualprivate network (VPN) solution.

Other major

SERVFAIL

-related FQDNs are associated with companies that aremany-years-idle, but which are still being queried by old, old applications.This is an excellent demonstration of why every Internet protocol shouldinclude a mechanism for declaring that a server is end-of-life and should nolonger be queried. Selected text in the following

FQDN

s is bolded tohighlight the likely role of those servers or the base domain involved.

99573 idcs.interclick.com.¹⁵
69364 px.gs.interclick.com.
45578 a1.interclick.com.
11682 osmdcs.interclick.com.
9334 3.g.interclick.com.

70323 livedata.turner.com.¹⁶

10167 isatap.wernerds.net.¹⁷
2979 wpad.wernerds.net.
1288 HQ-EPO02.wernerds.net.

4461 wpad.ingdirect.com.

4379 rmx.us.musichub.com.¹⁸

4111 shorevoice.dmsinet.com.¹⁹
3741 Dmsixutl.dmsinet.com.
3692 DMSISVCS01.dmsinet.com.
3265 wpad.dmsinet.com.
1634 DMSIPRT1.dmsinet.com.
3164 akrprt01.eng-prod.com.²⁰
1210 _ldap._tcp.dc._msdcs.dmsinet.com.

3055 isatap.auth.hpicorp.net.²¹
2977 nls.datunnel.hpicorp.net.
1931 radiacm.glb.itcs.hpecorp.net.²²

2807 wpad.na.odcorp.net.²³
1569 _ldap._tcp.US10012ODVPN._sites.dc._msdcs.na.odcorp.net.
1225 proxypac.na.odcorp.net.
1171 USCHCORPAV01.na.odcorp.net.

2618 wpad.oai.olympusglobal.com.²⁴
1033 _ldap._tcp.dc._msdcs.OAI.OLYMPUSGLOBAL.com.

2581 wpad.global.bcecorp.net.²⁵

2093 wpad.vnuusa.org.²⁶

​[remaining all less than 2000 hits per label]


Conclusion

You’ve now gotten a brief taste of some of the error codes that SIE users seefrom the SIE DNS Errors Channel. In an article this brief, we were only able toscratch the surface of what’s in the DNS Errors Channel, but there’s lots morethere including information potentially related to your users and your domains.Isn’t it be worth knowing what’s happening when it comes to YOUR domains? Orperhaps you’re a grad student researcher looking for a potentially fascinatingthesis or dissertation topic?

If you’re interested in exploring the DNS Errors Channel in more detail, pleasecontact Farsight Sales at [email protected] or complete the web format https://www.farsightsecurity.com/order-services/

Endnotes

¹ https://www.youtube.com/watch?v=WLUz4E21A3Q

Not familiar with Kodi? See https://en.wikipedia.org/wiki/Kodi_%28software%29See also: https://torrentfreak.com/when-piracy-gets-too-easy-expect-a-big-response-150620/andhttp://cordcuttersnews.com/comcast-starts-issuing-copyright-infringement-notices-to-kodi-users/

² “SingleClick Systems CEO draws five-year prison sentence for scamminginvestors,”http://www.zdnet.com/article/singleclick-systems-ceo-draws-five-year-prison-sentence-for-scamming-investors/

³ https://www.crunchbase.com/organization/fetchback#/entity says“Status: Acquired by GSI Commerce on June 1, 2010”Following the link to GSI Commerce, https://www.crunchbase.com/organization/gsi-commerce#/entity“Status: Acquired by eBay on June 20, 2011”

⁴ Another Kodi-related domain, apparently, see https://www.facebook.com/permalink.php?story_fbid=1624231054458594&id=1417695461778822

⁵ See http://archive.is/www.economicnews.ca and http://www.alexa.com/siteinfo/economicnews.ca

⁶ “

TestFlightApp.com

is Going to Shut Down Next Month,” Jan 28, 2015http://www.infoq.com/news/2015/01/testflightapp-shuts-down

⁷ Apparently another Kodi-related site, see http://xbian.org/forum/thread-448.html

⁸ Apparently a product of Auctiva, see https://en.m.wikipedia.org/wiki/Auctiva

⁹ See https://en.wikipedia.org/wiki/ComScore

¹⁰ Apparently another Kodi-related site, see:http://kodim3u.com/tag/shadowcrew-httpshadowcrew-infoshadows/

¹¹ https://en.wikipedia.org/wiki/ISATAP

¹² https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_ProtocolSee also “Finding Web Proxy Auto Discovery Protocol (WPAD)-related Security Exposures Using Farsight Security’s NXDOMAINs Channel“

¹³ “SRV Resource Records,”https://technet.microsoft.com/en-us/library/cc961719.aspx

¹⁴ “Network Location Server,”https://technet.microsoft.com/en-us/library/gg315317.aspx

¹⁵ https://www.crunchbase.com/organization/interclick#/entity says“Acquired by Yahoo! on November 1, 2011”

¹⁶ While

livedata.turner.com

generated

SERVFAIL

s at one or more locationscovered by a Farsight sensor at the time this data was collected, when testedfrom a reference host as part of investigating these domains, the host resolvesand the web site returns a 1×1 pixel image, presumably used fortracking-related purposes:

$ dig livedata.turner.com
​[snip]
livedata.turner.com. 60 IN A 157.166.249.67
livedata.turner.com. 60 IN A 157.166.239.38
livedata.turner.com. 60 IN A 157.166.238.237
livedata.turner.com. 60 IN A 157.166.248.175


The

SERVFAIL

s may have been temporary, or associated with an attempt atblocking trackers.

¹⁷ And the domain?

wernerds=We-R-Nerds

¹⁸ http://www.androidcentral.com/samsung-shutting-music-hub-working-replacement-service

¹⁹ Domain appears to have ceased being used in 2008, see https://web.archive.org/web/*/http://dmsinet.com

²⁰ Domain appears to have ceased being used in 2005, see https://web.archive.org/web/*/eng-prod.com

²¹ HP, Inc

²² Also HP, Inc.

²³ Office Depot Corporation

²⁴ Olympus America, Inc

²⁵ Beckman Coulter Inc

²⁶ Nielsen Company

Joe St Sauver, Ph.D. is a Scientist with Farsight Security, Inc.