This December 2003 article states:
"Handling external Web requests... is accomplished by advertising a low DNS TTL of about 10 seconds. This forces the end user's DNS server to request an updated IP address every 10 seconds... the device will provide the external IP address that will provide the best path through the network."
The whole idea with DNS-based systems is to trick clients into visiting the server that's "closest" to them in Internet space. By "closest" I mean the one offering the lowest latency. It's a performance enhancement for visitors.
NWC's graphic does a nice job explaining the system.
Notice the mention of "probes." The review mentions ICMP and TCP-based "probes" in its product feature list. NSM analysts might see these probes and consider them suspicious, when they're normal and harmless.
alert udp $EXTERNAL_NET 53 -> $HOME_NET any
(msg:"DNS SPOOF query response with TTL of 1 min. and no authority";
content:"|81 80 00 01 00 01 00 00 00 00|";
content:"|c0 0c 00 01 00 01 00 00 00 3c 00 04|";
classtype:bad-unknown; sid:254; rev:3;)
This rule was written to detect intruders responding to a victim's DNS query before the legitimate DNS server does. Whether this is worthwhile is debatable, especially since the rule uses the DNS TTL of exactly one minute. An intruder who uses 59 or 61 seconds evades this rule.
Here is Ethereal's look for one of the DNS responses which triggered this Snort rule. I queried for www.orbitz.com, and the DNS record it returned had a TTL of 1 minute and no authority records. Because the DNS TTL is so low, www.orbitz.com might be using a DNS optimization scheme like that mentioned in NWC.
Finally, keep those responses in mind when looking at the DNS info for a smaller company like Sourcefire that doesn't need to play DNS tricks:
This mini-case study shows how keeping current on Internet infrastructure products helps NSM analysts understand their alerts.