Odd log messages from ISC BIND named

[Ben Scott]

On Tue, Feb 3, 2009 at 6:29 PM,  <VirginSnow at vfemail.net> wrote:
>> Okay, I might buy that, but what's it doing on our DNS server?
>
> If the payload space being searched included the destination IP field,
> the destination IP could just coincidentally have been that of
> liberty.

  Maybe I'm misunderstanding something.  As I understand it, a
known-plaintext attack means you've got some plaintext, and you've
also got the corresponding ciphertext, but you don't know the key.
You're interested in the key because you've got other ciphertext
*without* the corresponding plaintext.  Right?

  I'm having trouble envisioning a scenario where the above attack
would find it useful to send a flood of DNS packets for bogus names to
an arbitrary IP address.  We're trying to crack an encrypted network.
Presumably, the attacker doesn't have full access to the encrypted
network, or he wouldn't need to do this.  So we have to suppose some
kind of Trojan horse which has partially penetrated the target
network.  Maybe a compromised luser machine.  It can't be doing a
standard application name lookup query, since these domain names were
not in any delegated zone.  Someone was directing DNS packets at a
particular IP address.  (As with NSLOOKUP with a second argument.)
So, the attacker is also sniffing the ciphertext, in addition to
having a partial penetration.  Bit of a stretch, but within the realm
of possibility for a targeted attack.  But then why not send queries
for www.google.com, or some long but real domain name?  That would be
even harder to spot in the traffic, and might make the cryptanalysis
easier, since the domain name wouldn't be changing every packet.  And
why not send the packets to some zombie, so you can get the full
plaintext datagram (ports, sequence numbers, etc.), rather than just
the domain name?  And if they're not interested in knowing more than
the domain name, why not vary the IP address each each and every
packet?

-- Ben