This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Identification of rogue IPv6 DNS server

0

On our network, client workstations utilize DHCP for obtaining DNS server settings. I need to figure out why a certain IPv6 host is being added into the list of DNS servers. In other words, I need a way to capture IPV6 based DHCP traffic. Any assistance is greatly appreciated.

Thanks xxx

asked 26 Jan '16, 19:54

micahblair's gravatar image

micahblair
6112
accept rate: 0%

edited 27 Jan '16, 03:11

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

0

Not sure I get right what means "IPv6 host is being added into the list of DNS servers". But if it simply means that for a single DHCP discovery you get several DHCP offers, I would assume you need to work around the fact that the dynamically configured host interface only sends DHCP discovery for a certain period of time after L1 comes up, and that you cannot capture on an interface which is not up at L1. Here a hub or a switch with monitoring capability would help - you would connect the cable from one of your dynamically configured hosts to the uplink port of the switch or hub, connect a capturing machine to the monitoring port (if it is a switch with monitoring capability) or to any port if it is a hub and start capturing in promiscuous mode, and as the last step, connect the dynamically configured host to the access port of the hub/switch. This way, the capturing interface would already be up and running while the dynamically configured host would be negotiating at L1 and sending the DHCP discover.

The next step would be to apply display filter dhcpv6 to see only the interesting packets, and look at the contents as well as the source MAC and IP addresses of all the DHCP offers which would come in response to the DHCP discover.

Now you can find two possibilities:

  • there is actually a rogue DHCP server in the network, which answers faster than the legal one and augments the list of DNS servers with its "favourite" one - in such case, see the "last step" below.

  • it is your standard DHCP server which provides that rogue DNS server, so you'd have to check its configuration.

The last step would be to use this address information to identify the "illegal" dhcp server. If you are lucky, your manageable switches will show you at which port of which switch this MAC address lives, so you can track it from switch to switch until you get to the one to which it is connected. If you are less lucky, the machine sends also other traffic, so capturing close to your gateway towards internet and analysing the traffic may give you a hint which one it is. The last "passive" resort is the inventory list with MAC addresses.

If no passive method helps, the next one is to ban that IP from access to internet/company server, the affected user will call IT helpdesk in no time.

answered 27 Jan '16, 03:14

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 27 Jan '16, 05:05