2

I see a lot of NXDOMAIN responses from machines in my network for domains like the following:

ffubpjjoprrlpzx.corp.ad.broadcom.com 
vwgpcnmoxqsszq.corp.ad.broadcom.com 
jlvnxrsykybw.corp.ad.broadcom.com
aroxzxpasgogr.corp.ad.broadcom.com

The failures are not limited to broadcom, but other websites as well. Is this some form of overloading of DNS? Could someone explain if advertisement domains do this sort of thing and their purpose? Or is this a security issue?

DaTaBomB
  • 133
  • 7

3 Answers3

2

You will see this if folks on your network are using Chrome. Chrome does a DNS anti-spoofing test that causes these entries.

Aaron
  • 2,809
  • 2
  • 11
  • 29
  • There are chrome users in the network, but i see these random looking requests to many "ad" websites and this seems to be a pattern in the failures.. Eg. 'xxzxotsuidd.ads.fresenius.com' , 'vwyhlkpcterovg.ads.fresenius.com' ,etc. which makes me believe its more than the anti-spoofing test. Thoughts? – DaTaBomB Aug 13 '15 at 08:33
1

This answer is probably wrong, having looked at Aaron's. False alarm, I'm too used to dealing with the attacks described below lately.


This is a DNS label randomization attack in progress. You need to identify the devices making the query and make sure they are not forwarding queries on behalf of other devices. Keep in mind that the source IPs may be spoofed so you can only follow the origin as far back as devices you control.

Find the origin of these queries and plug it. You probably have an open resolver somewhere.

Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • I see a common pattern in these failures in that a lot of nxdomain responses occur for websites which seem to have a structure like: . ad. which made me suspect this is some form of advertisement related overloading as opposed to a security event. Any thoughts on this? – DaTaBomB Aug 12 '15 at 07:41
  • 1
    See update - Aaron is probably correct. – Andrew B Aug 12 '15 at 08:00
0

It's hard to say what exactly is going on without being able to investigate the affected machines, however this appears to be some kind of "ping back" mechanism using DNS.

Per DNS specs, query failures must never be cached by a resolver cache, therefore every request for these domains hits the authoritative name servers. I'm not confident why they do that but clearly there's very likely something on the other end counting hits on these and gathering stats. If it's sophisticated enough, it could even be sending information by encoding it in those name lookups.

You should try to identify the source of these requests and make sure the computer/server is not infected with spyware/malware. You could also configure your DNS resolver to send all queries for the domain (ad.broadcom.com) to some dummy/non-existent servers so that the queries do not reach the intended destination.

P.S.: Is all these queries end up on a broadcom.com domain which is a pretty big US corporation, so I wouldn't be too worried - you should check if a Broadcom utility does it and maybe ask the company why... But if it was going to some shady domain that would definitely be worrying.