Fungování této stránky je z důvodu údržby dočasně omezeno. Pokud žádný článek nápovědy nevyřeší váš problém a potřebujete se zeptat na další řešení, napište nám na Twitter @FirefoxSupport nebo Reddit /r/firefox.

Prohledat stránky podpory

Vyhněte se podvodům. Za účelem poskytnutí podpory vás nikdy nežádáme, abyste zavolali nebo poslali SMS na nějaké telefonní číslo nebo abyste sdělili své osobní údaje. Jakékoliv podezřelé chování nám prosím nahlaste pomocí odkazu „Nahlásit zneužití“.

Zjistit více

Firefox 36 send DNS ANY requests?

  • 1 odpověď
  • 1 má tento problém
  • 4 zobrazení
  • Poslední odpověď od philipp

more options

I am an incident handler at the Internet Storm Center. One of our readers sent in the following concern with Firefox 36. Can anyone shed any light on this?

'Our organization utilizes a firewall with IPS as a guard between our clients and our servers. Beginning late Wednesday, an IPS rule on this firewall began to flag DNS ANY traffic destined from a client to our internal DNS servers - logs indicated that the number of events originating from this client were enough to potentially be related to some type of botnet performing a DNS Amplification DDOS. The machine was confiscated and scanned, but was clean. The next day (2/26), the number of clients performing DNS ANY queries jumped to just under 10. Our team studied the traffic, but was having a hard time pinpointing malicious activity - we confiscated these machines as well in an abundance of caution. The issue persisted today, but we were able to catch a client with Firefox 36 performing the query. We cross-referenced our other suspect clients and confirmed that they all had upgraded to Firefox 36 just before sending DNS ANY queries. It appears that there is a bug in Firefox 36 that causes the browser to send ANY queries instead of AAAA queries. By changing "network.dns.get-ttl" to "False" in about:config, we were able to eliminate this traffic on all of the machines that were sending DNS ANY queries. I've attached a screen shot of a PCAP captured at the firewall showing an A query, followed by an ANY query of a facebook domain.

Hopefully this will keep others from chasing a false positive."

I am an incident handler at the Internet Storm Center. One of our readers sent in the following concern with Firefox 36. Can anyone shed any light on this? 'Our organization utilizes a firewall with IPS as a guard between our clients and our servers. Beginning late Wednesday, an IPS rule on this firewall began to flag DNS ANY traffic destined from a client to our internal DNS servers - logs indicated that the number of events originating from this client were enough to potentially be related to some type of botnet performing a DNS Amplification DDOS. The machine was confiscated and scanned, but was clean. The next day (2/26), the number of clients performing DNS ANY queries jumped to just under 10. Our team studied the traffic, but was having a hard time pinpointing malicious activity - we confiscated these machines as well in an abundance of caution. The issue persisted today, but we were able to catch a client with Firefox 36 performing the query. We cross-referenced our other suspect clients and confirmed that they all had upgraded to Firefox 36 just before sending DNS ANY queries. It appears that there is a bug in Firefox 36 that causes the browser to send ANY queries instead of AAAA queries. By changing "network.dns.get-ttl" to "False" in about:config, we were able to eliminate this traffic on all of the machines that were sending DNS ANY queries. I've attached a screen shot of a PCAP captured at the firewall showing an A query, followed by an ANY query of a facebook domain. Hopefully this will keep others from chasing a false positive."

Všechny odpovědi (1)

more options

hi Namedeplume, thanks for bringing this up. the problem is tracked in bug #1093983.