What (Besides NXDOMAINs) Do We See on Farsight Security's DNS Errors Channel?

← Blog Home

By

Introduction

When a DNS query gets made, the Domain Name System returns a response code as part of its response. Those response codes can be zero (indicating that NOERROR occurred), or non-zero (indicating that a problem of some sort occurred).

The most common error code, and the one that most people typically are interested in, is NXDOMAIN, or “this domain does not exist.” On a typical day, 1/2 or more of all DNS Errors are NXDOMAINs. NXDOMAINs are so common (and so interesting to our customers!) that Farsight has even created a special Security Information Exchange (SIE) channel devoted exclusively to efficiently sharing NXDOMAIN traffic, Channel 221. However, NXDOMAIN responses are not the only sort of domains we see, and this article is NOT about NXDOMAINs and Channel 221. This article is about all the other DNS response codes, instead, as shared in detail on Security Information Exchange Channel 220, Farsight’s “DNS Errors” channel.

Looking at 10 million observations drawn from Channel 220 in late January 2016, we saw a distribution of non-zero response codes that looked like:

    4,899,244 NXDOMAIN    (49.0%)
    3,956,941 REFUSED     (39.6%)
    1,092,162 SERVFAIL    (10.9%)
       31,247 FORMERR      (0.3%)
       20,295 NOTIMP       (0.2%)
           63 NOTAUTH     (<0.1%)
           43 NXRRSET     (<0.1%)
            5 {UNKNOWN}   (<0.1%)

Clearly, once you get past NXDOMAINs, most of what we see in the way of DNS Errors consists of just two response codes: REFUSEDs, and SERVFAILs. (We will not consider the remaining obscure/infrequently seen response codes in this article).

REFUSEDs

Some DNS servers may be configured to only return an answer for a given zone for select query sources. For example, queries for an intranet-only domain might only be answered IF those queries originate from within that intranet, getting REFUSED if originating from anywhere else.

If we drill down and look at the domains associated with a big batch of REFUSEDs, we can find domain names that are generating a disproportionate number of REFUSED errors. In this case, when we look at a sample of 10,000,000 observations from Channel 220, there were 188,191 different REFUSED FQDNs seen. The set of unique REFUSED FQDN observations were then processed by:

  • Sorting and aggregating by FQDNs
  • Sorting (in descending order by count, with an arbitrary threshold of 10,000 observations) per aggregated FQDN
  • Clumping related FQDNs together
  • Excluding hits for in-addr.arpa
  • Anonymizing the hash values of the hits seen for testflightapp.com

The output from that process highlights a number of services/products that are plugging away, apparently attempting to repeatedly connect to no-longer-available services. Particularly noteworthy are a number of names related to Kodi, the video player application. See the footnotes associated with many of the domain names below.

    201596 shadowsrepo.info.¹

    171567 dell-alive.singleclicksystems.com.²
    148688 dell-alive2.singleclicksystems.com.
    145870 dell-alive3.singleclicksystems.com.
    143957 dell-alive4.singleclicksystems.com.
    23070 isp.singleclicksystems.com.
    17395 alive.singleclicksystems.com.
    13978 alive3.singleclicksystems.com.
    13800 alive2.singleclicksystems.com.

    109554 pixel.fetchback.com.³
    10675 a2.fetchback.com.

    79235 akamai.hearst.tv.

    66384 aaarepo.xyz.⁴

    53239 www.economicnews.ca.⁵

    32320 [snip]6da8.sdk.testflightapp.com.⁶
    26156 sdk.testflightapp.com.
    25416 [snip]f6ee.sdk.testflightapp.com.
    21580 [snip]b840.sdk.testflightapp.com.
    20668 [snip]1037.sdk.testflightapp.com.
    19232 [snip]9b3f.sdk.testflightapp.com.
    14954 [snip]875c.sdk.testflightapp.com.
    11724 [snip]ab97.sdk.testflightapp.com.
    11106 [snip]fcec.sdk.testflightapp.com.
    10978 [snip]c71a.sdk.testflightapp.com.
    10784 [snip]49e5.sdk.testflightapp.com.
    10373 [snip]e9c0.sdk.testflightapp.com.
    [etc]

    27823 repo.gosub.dk.⁷

    24933 qdc-dns.qdx.com.

    19785 service.sellathon.com.⁸

    18139 apple.comscoreresearch.com.⁹

    12447 shadowcrew.info.¹⁰

    [remaining all less than 10,000 hits per label]

Next we’ll take a look at the FQDNs most commonly returning SERVFAIL response codes.  

SERVFAILs

When we look at SERVFAIL codes, we see a somewhat different pattern. Volumes per FQDN are lower, and many of the SERVFAIL response codes appear to be related to background-running autoconfiguration- or infrastructure-related services such as ISATAP¹¹, WPAD¹², LDAP¹³, NLS¹⁴, etc. These may be symptomatic of corporate devices used outside the corporate intranet without a virtual private network (VPN) solution.

Other major SERVFAIL-related FQDNs are associated with companies that are many-years-idle, but which are still being queried by old, old applications. This is an excellent demonstration of why every Internet protocol should include a mechanism for declaring that a server is end-of-life and should no longer be queried. Selected text in the following FQDNs is bolded to highlight the likely role of those servers or the base domain involved.

    99573 idcs.interclick.com.¹⁵
    69364 px.gs.interclick.com.
    45578 a1.interclick.com.
    11682 osmdcs.interclick.com.
    9334 3.g.interclick.com.

    70323 livedata.turner.com.¹⁶

    10167 isatap.wernerds.net.¹⁷
    2979 wpad.wernerds.net.
    1288 HQ-EPO02.wernerds.net.

    4461 wpad.ingdirect.com.

    4379 rmx.us.musichub.com.¹⁸

    4111 shorevoice.dmsinet.com.¹⁹ 
    3741 Dmsixutl.dmsinet.com.
    3692 DMSISVCS01.dmsinet.com.
    3265 wpad.dmsinet.com.
    1634 DMSIPRT1.dmsinet.com.
    3164 akrprt01.eng-prod.com.²⁰
    1210 _ldap._tcp.dc._msdcs.dmsinet.com.

    3055 isatap.auth.hpicorp.net.²¹
    2977 nls.datunnel.hpicorp.net.
    1931 radiacm.glb.itcs.hpecorp.net.²²

    2807 wpad.na.odcorp.net.²³
    1569 _ldap._tcp.US10012ODVPN._sites.dc._msdcs.na.odcorp.net.
    1225 proxypac.na.odcorp.net.
    1171 USCHCORPAV01.na.odcorp.net.

    2618 wpad.oai.olympusglobal.com.²⁴
    1033 _ldap._tcp.dc._msdcs.OAI.OLYMPUSGLOBAL.com.

    2581 wpad.global.bcecorp.net.²⁵

    2093 wpad.vnuusa.org.²⁶

    [remaining all less than 2000 hits per label]

Conclusion

You’ve now gotten a brief taste of some of the error codes that SIE users see from the SIE DNS Errors Channel. In an article this brief, we were only able to scratch the surface of what’s in the DNS Errors Channel, but there’s lots more there including information potentially related to your users and your domains. Isn’t it be worth knowing what’s happening when it comes to YOUR domains? Or perhaps you’re a grad student researcher looking for a potentially fascinating thesis or dissertation topic?

If you’re interested in exploring the DNS Errors Channel in more detail, please contact Farsight Sales at sales@farsightsecurity.com or complete the web form at https://www.farsightsecurity.com/order-services/

Endnotes

¹ https://www.youtube.com/watch?v=WLUz4E21A3Q

Not familiar with Kodi? See https://en.wikipedia.org/wiki/Kodi_%28software%29 See also: https://torrentfreak.com/when-piracy-gets-too-easy-expect-a-big-response-150620/ and http://cordcuttersnews.com/comcast-starts-issuing-copyright-infringement-notices-to-kodi-users/

² “SingleClick Systems CEO draws five-year prison sentence for scamming investors,” http://www.zdnet.com/article/singleclick-systems-ceo-draws-five-year-prison-sentence-for-scamming-investors/

³ https://www.crunchbase.com/organization/fetchback#/entity says “Status: Acquired by GSI Commerce on June 1, 2010” Following the link to GSI Commerce, https://www.crunchbase.com/organization/gsi-commerce#/entity “Status: Acquired by eBay on June 20, 2011”

⁴ Another Kodi-related domain, apparently, see https://www.facebook.com/permalink.php?story_fbid=1624231054458594&id=1417695461778822

⁵ See http://archive.is/www.economicnews.ca and http://www.alexa.com/siteinfo/economicnews.ca

⁶ “TestFlightApp.com is Going to Shut Down Next Month,” Jan 28, 2015 http://www.infoq.com/news/2015/01/testflightapp-shuts-down

⁷ Apparently another Kodi-related site, see http://xbian.org/forum/thread-448.html

⁸ Apparently a product of Auctiva, see https://en.m.wikipedia.org/wiki/Auctiva

⁹ See https://en.wikipedia.org/wiki/ComScore

¹⁰ Apparently another Kodi-related site, see: http://kodim3u.com/tag/shadowcrew-httpshadowcrew-infoshadows/

¹¹ https://en.wikipedia.org/wiki/ISATAP

¹² https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol See also “Finding Web Proxy Auto Discovery Protocol (WPAD)-related Security Exposures Using Farsight Security’s NXDOMAINs Channel

¹³ “SRV Resource Records,” https://technet.microsoft.com/en-us/library/cc961719.aspx

¹⁴ “Network Location Server,” https://technet.microsoft.com/en-us/library/gg315317.aspx

¹⁵ https://www.crunchbase.com/organization/interclick#/entity says “Acquired by Yahoo! on November 1, 2011”

¹⁶ While livedata.turner.com generated SERVFAILs at one or more locations covered by a Farsight sensor at the time this data was collected, when tested from a reference host as part of investigating these domains, the host resolves and the web site returns a 1x1 pixel image, presumably used for tracking-related purposes:

    $ dig livedata.turner.com
    [snip]
    livedata.turner.com.    60  IN  A   157.166.249.67
    livedata.turner.com.    60  IN  A   157.166.239.38
    livedata.turner.com.    60  IN  A   157.166.238.237
    livedata.turner.com.    60  IN  A   157.166.248.175

The SERVFAILs may have been temporary, or associated with an attempt at blocking trackers.

¹⁷ And the domain? wernerds=We-R-Nerds

¹⁸ http://www.androidcentral.com/samsung-shutting-music-hub-working-replacement-service

¹⁹ Domain appears to have ceased being used in 2008, see https://web.archive.org/web/*/http://dmsinet.com

²⁰ Domain appears to have ceased being used in 2005, see https://web.archive.org/web/*/eng-prod.com

²¹ HP, Inc

²² Also HP, Inc.

²³ Office Depot Corporation

²⁴ Olympus America, Inc

²⁵ Beckman Coulter Inc

²⁶ Nielsen Company

Joe St Sauver, Ph.D. is a Scientist with Farsight Security, Inc.

← Blog Home

Protect against cybercriminal activity in real-time.

Request demo

Email: sales@farsightsecurity.com Phone: +1-650-489-7919