Zoeken in Support

Vermijd ondersteuningsscams. We zullen u nooit vragen een telefoonnummer te bellen, er een sms naar te sturen of persoonlijke gegevens te delen. Meld verdachte activiteit met de optie ‘Misbruik melden’.

Meer info

Deze conversatie is gearchiveerd. Stel een nieuwe vraag als u hulp nodig hebt.

Firefox 36 send DNS ANY requests?

  • 1 antwoord
  • 1 heeft dit probleem
  • 9 weergaven
  • Laatste antwoord van philipp

more options

I am an incident handler at the Internet Storm Center. One of our readers sent in the following concern with Firefox 36. Can anyone shed any light on this?

'Our organization utilizes a firewall with IPS as a guard between our clients and our servers. Beginning late Wednesday, an IPS rule on this firewall began to flag DNS ANY traffic destined from a client to our internal DNS servers - logs indicated that the number of events originating from this client were enough to potentially be related to some type of botnet performing a DNS Amplification DDOS. The machine was confiscated and scanned, but was clean. The next day (2/26), the number of clients performing DNS ANY queries jumped to just under 10. Our team studied the traffic, but was having a hard time pinpointing malicious activity - we confiscated these machines as well in an abundance of caution. The issue persisted today, but we were able to catch a client with Firefox 36 performing the query. We cross-referenced our other suspect clients and confirmed that they all had upgraded to Firefox 36 just before sending DNS ANY queries. It appears that there is a bug in Firefox 36 that causes the browser to send ANY queries instead of AAAA queries. By changing "network.dns.get-ttl" to "False" in about:config, we were able to eliminate this traffic on all of the machines that were sending DNS ANY queries. I've attached a screen shot of a PCAP captured at the firewall showing an A query, followed by an ANY query of a facebook domain.

Hopefully this will keep others from chasing a false positive."

I am an incident handler at the Internet Storm Center. One of our readers sent in the following concern with Firefox 36. Can anyone shed any light on this? 'Our organization utilizes a firewall with IPS as a guard between our clients and our servers. Beginning late Wednesday, an IPS rule on this firewall began to flag DNS ANY traffic destined from a client to our internal DNS servers - logs indicated that the number of events originating from this client were enough to potentially be related to some type of botnet performing a DNS Amplification DDOS. The machine was confiscated and scanned, but was clean. The next day (2/26), the number of clients performing DNS ANY queries jumped to just under 10. Our team studied the traffic, but was having a hard time pinpointing malicious activity - we confiscated these machines as well in an abundance of caution. The issue persisted today, but we were able to catch a client with Firefox 36 performing the query. We cross-referenced our other suspect clients and confirmed that they all had upgraded to Firefox 36 just before sending DNS ANY queries. It appears that there is a bug in Firefox 36 that causes the browser to send ANY queries instead of AAAA queries. By changing "network.dns.get-ttl" to "False" in about:config, we were able to eliminate this traffic on all of the machines that were sending DNS ANY queries. I've attached a screen shot of a PCAP captured at the firewall showing an A query, followed by an ANY query of a facebook domain. Hopefully this will keep others from chasing a false positive."

Alle antwoorden (1)

more options

hi Namedeplume, thanks for bringing this up. the problem is tracked in bug #1093983.