搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Firefox 36 send DNS ANY requests?

  • 1 个回答
  • 1 人有此问题
  • 9 次查看
  • 最后回复者为 philipp

more options

I am an incident handler at the Internet Storm Center. One of our readers sent in the following concern with Firefox 36. Can anyone shed any light on this?

'Our organization utilizes a firewall with IPS as a guard between our clients and our servers. Beginning late Wednesday, an IPS rule on this firewall began to flag DNS ANY traffic destined from a client to our internal DNS servers - logs indicated that the number of events originating from this client were enough to potentially be related to some type of botnet performing a DNS Amplification DDOS. The machine was confiscated and scanned, but was clean. The next day (2/26), the number of clients performing DNS ANY queries jumped to just under 10. Our team studied the traffic, but was having a hard time pinpointing malicious activity - we confiscated these machines as well in an abundance of caution. The issue persisted today, but we were able to catch a client with Firefox 36 performing the query. We cross-referenced our other suspect clients and confirmed that they all had upgraded to Firefox 36 just before sending DNS ANY queries. It appears that there is a bug in Firefox 36 that causes the browser to send ANY queries instead of AAAA queries. By changing "network.dns.get-ttl" to "False" in about:config, we were able to eliminate this traffic on all of the machines that were sending DNS ANY queries. I've attached a screen shot of a PCAP captured at the firewall showing an A query, followed by an ANY query of a facebook domain.

Hopefully this will keep others from chasing a false positive."

I am an incident handler at the Internet Storm Center. One of our readers sent in the following concern with Firefox 36. Can anyone shed any light on this? 'Our organization utilizes a firewall with IPS as a guard between our clients and our servers. Beginning late Wednesday, an IPS rule on this firewall began to flag DNS ANY traffic destined from a client to our internal DNS servers - logs indicated that the number of events originating from this client were enough to potentially be related to some type of botnet performing a DNS Amplification DDOS. The machine was confiscated and scanned, but was clean. The next day (2/26), the number of clients performing DNS ANY queries jumped to just under 10. Our team studied the traffic, but was having a hard time pinpointing malicious activity - we confiscated these machines as well in an abundance of caution. The issue persisted today, but we were able to catch a client with Firefox 36 performing the query. We cross-referenced our other suspect clients and confirmed that they all had upgraded to Firefox 36 just before sending DNS ANY queries. It appears that there is a bug in Firefox 36 that causes the browser to send ANY queries instead of AAAA queries. By changing "network.dns.get-ttl" to "False" in about:config, we were able to eliminate this traffic on all of the machines that were sending DNS ANY queries. I've attached a screen shot of a PCAP captured at the firewall showing an A query, followed by an ANY query of a facebook domain. Hopefully this will keep others from chasing a false positive."

所有回复 (1)

more options

hi Namedeplume, thanks for bringing this up. the problem is tracked in bug #1093983.