Intra Net DNS Leakage
intranet is a company's internal network, intra or inside the
boundaries of the company. Intranets are not
intended to be accessible or visible from the outside except
via special access. These private networks are
for business; these are not public accessible. Even regular checking
account holders of Alfa Bank don't get access. Such networks run off a
green list or white list of approved parties. DNS leakage does occur occasionally between
a company internal network and the Internet, especially during
times of errors and configuration because of human factors.
Here we see clear indication that the Moscow division of the INTERNAL
Alfa Bank network most definitely has purposeful communications
with a hostname registered by the Trump Organization. The
concatenation below is a DNS leak of an internal configuration.
If a machine were spamming a company, you would block it. You be would
be highly unlikely to change your internal intranet records to make
sure the connection continued.
Here we see a change to the
Trump-Email.com zone from DNS by CenDyn. (CenDyn has stated that
the host was indeed in use for "a bank" that wanted to have
"meetings" with Alfa Bank - read those details here).
SCROLL DOWN TO CONTINUE READING
TIMESTAMP | HOSTNAME | QUERY ORIGINATOR IP
The QUERY ORIGINATOR IP is typically a recursive DNS resolver
This query is unusual in that is merges two hostnames into
one. It makes the most sense as a human error in inserting a new hostname in some
dialog window, but neglected to hit the backspace to delete the
Of course, this runon hostname doesn't exist; it's just
two hostnames run together. Some 90 seconds later, the networks
stopped talking about this host (at 2016-09-23T13:56:29.000Z), and
further queries were not seen. But the brief minute life of the
query associates the trump-email server to a new zone: the Alfa
Bank intranet network.
The moscow.alfaintra.net is
the internal LAN of AlfaBank. Like most careful organizations, the
bank intranet is only resolved and reachable
via a VPN (or by being inside the Bank's network of course). The
internal LAN network contains ldap servers, a Microsoft Active
Directory server, a HipChat server, a few Apple Caching Servers,
some Microsoft Key Management Service (KMS) systems, etc.
The hyrbid hostname suggests that Alfa was attempting to accomodate
the Trump host in its network. After the 90-second "fat finger"
event, the queries ceased as the record was corrected, and the
targeted domain entered correctly.