Hello,
I have a wireshark packet sniffer log and I am interested in the DNS entries listed. When I look at the response to system A (requestor) from the DNS server, in the answer section I get several responses, in two sections See below. My questions are below as well.
-Answers
1. + abcd.1234.com type CNAME Class IN, cname 1234.com
2. + 1234.com type A, Class IN, addr xxx.xxx.xxx.11
3. + 1234.com type A, Class IN, addr xxx.xxx.xxx.22
4. + 1234.com type A, Class IN, addr xxx.xxx.xxx.33
5. + 1234.com type A, Class IN, addr xxx.xxx.xxx.33
6. + 1234.com type A, Class IN, addr xxx.xxx.xxx.33
-Authoritative nameservers
7. +1234.com type NS, Class IN, ns ns2.[the registered ns].com
8. +1234.com type NS, Class IN, ns ns1.[the registered ns].com
9. +1234.com type NS, Class IN, ns ns3.[the registered ns].com
Please correct me if I am wrong. The #1 entry is lists the alias that points to the correct cname. When I expand 2-6 I get the below all with differnt Addr. Is the TTL saying that the cname is only valid for 3 mintutes? The last question I have is listed below.
Name 1234.com
Type A (host address)
Class IN (0x0001)
Time to Live 3 minutes
Data length 4
Addr xxx.xxx.xxx.95
From what I am gathering the hostname 1234.com is direct to the IP's listed shown in 2-6 above, which I believe is part of a fast fluxing botnet. What I don't understand is then how does the Authortative name server come into play. I know that the the [registered ns].com is what is listed under whois info. In the very end, when you type in abcd.1234.com into a web browser you actually get sent to a completely different site registered by another person. So the 1234.com redirects all traffic to the site that actually ends up in your web browser 9876.com
Thanks in advance for your help.
mark