לאתר זה תהיה פונקציונליות מוגבלת בזמן שאנו מתחזקים אותו לשיפור החוויה שלך. אם מאמר מסויים לא פותר את הבעיה שלך וברצונך לשאול שאלה, קהילת התמיכה שלנו מחכה לעזור לך ב־Twitter תחת ‎@FirefoxSupport וב־Reddit תחת ‎/r/firefox.

חיפוש בתמיכה

יש להימנע מהונאות תמיכה. לעולם לא נבקש ממך להתקשר או לשלוח הודעת טקסט למספר טלפון או לשתף מידע אישי. נא לדווח על כל פעילות חשודה באמצעות באפשרות ״דיווח על שימוש לרעה״.

מידע נוסף

Firefox 36 send DNS ANY requests?

  • 1 תגובה
  • 1 has this problem
  • 4 views
  • תגובה אחרונה מאת philipp

more options

I am an incident handler at the Internet Storm Center. One of our readers sent in the following concern with Firefox 36. Can anyone shed any light on this?

'Our organization utilizes a firewall with IPS as a guard between our clients and our servers. Beginning late Wednesday, an IPS rule on this firewall began to flag DNS ANY traffic destined from a client to our internal DNS servers - logs indicated that the number of events originating from this client were enough to potentially be related to some type of botnet performing a DNS Amplification DDOS. The machine was confiscated and scanned, but was clean. The next day (2/26), the number of clients performing DNS ANY queries jumped to just under 10. Our team studied the traffic, but was having a hard time pinpointing malicious activity - we confiscated these machines as well in an abundance of caution. The issue persisted today, but we were able to catch a client with Firefox 36 performing the query. We cross-referenced our other suspect clients and confirmed that they all had upgraded to Firefox 36 just before sending DNS ANY queries. It appears that there is a bug in Firefox 36 that causes the browser to send ANY queries instead of AAAA queries. By changing "network.dns.get-ttl" to "False" in about:config, we were able to eliminate this traffic on all of the machines that were sending DNS ANY queries. I've attached a screen shot of a PCAP captured at the firewall showing an A query, followed by an ANY query of a facebook domain.

Hopefully this will keep others from chasing a false positive."

I am an incident handler at the Internet Storm Center. One of our readers sent in the following concern with Firefox 36. Can anyone shed any light on this? 'Our organization utilizes a firewall with IPS as a guard between our clients and our servers. Beginning late Wednesday, an IPS rule on this firewall began to flag DNS ANY traffic destined from a client to our internal DNS servers - logs indicated that the number of events originating from this client were enough to potentially be related to some type of botnet performing a DNS Amplification DDOS. The machine was confiscated and scanned, but was clean. The next day (2/26), the number of clients performing DNS ANY queries jumped to just under 10. Our team studied the traffic, but was having a hard time pinpointing malicious activity - we confiscated these machines as well in an abundance of caution. The issue persisted today, but we were able to catch a client with Firefox 36 performing the query. We cross-referenced our other suspect clients and confirmed that they all had upgraded to Firefox 36 just before sending DNS ANY queries. It appears that there is a bug in Firefox 36 that causes the browser to send ANY queries instead of AAAA queries. By changing "network.dns.get-ttl" to "False" in about:config, we were able to eliminate this traffic on all of the machines that were sending DNS ANY queries. I've attached a screen shot of a PCAP captured at the firewall showing an A query, followed by an ANY query of a facebook domain. Hopefully this will keep others from chasing a false positive."

כל התגובות (1)

more options

hi Namedeplume, thanks for bringing this up. the problem is tracked in bug #1093983.