Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] bind attacks


On Wed, Jun 25, 2008 at 10:23:36AM -0500, Tony Sceats wrote:
> without knowing what your bind server is doing and what the anem they are
> looking for it's hard to say..

Sorry my presumption that this was a norm of some sort.

I have a dns server that host a public/internet facing domain. only lan
clients can make recursive requests.


> 
> eg, is it set up to allow normal DNS queries to only a certain range of
> client IPs? or is it a private DNS server that's authoritative for an
> internal domain that you don't want people external to query?
> 
> This could be as simple as someone's laptop set to use your DNS server and
> they go home and are suddenly coming from an external IP but still using
> your DNS server, so any normal DNS queries are being sent to you first (eg,
> www.google.com)
nope = well not set by me atleast

> 
> The log itself looks like it's just after an ordinary A record..
> 
> If your sure it's an attack it could be someone trying to find names in your
> zone by trying a whole bunch of names a'la brute force, but that's pretty

but they are not requesting anything in my domain ?

> unlikely imho.. by doing that they might be interested in finding internal
> IP ranges so they can play NAT tricks for firewall rule enumeration or
> perhaps finding the IP of certain functional servers, eg names that indicate
> what kind of network service an IP may be providing - eg, samba.example.comor
> printserver.example.com - something that gives them a new attack vector..
> You could also be participating in a DDoS - because DNS is UDP, forged
> source IPs can be used to start sending DNS replies from a whole bunch of
> DNS servers to a target IP, thus using all the targets bandwidth

Just in case I drop their address at the firewall now :) (only 2 -
somewhere in china)

> 
> On Wed, Jun 25, 2008 at 3:28 AM, Alex Samad <alex@xxxxxxxxxxxx> wrote:
> 
> > Hi
> >
> > I have been seeing these in my logs
> >
> > Jun 25 15:19:45 hufpuf named[3574]: client 59.151.50.248#64821: query
> > (cache) './A/IN' denied
> > Jun 25 15:19:48 hufpuf named[3574]: client 59.151.50.247#63595: query
> > (cache) './A/IN' denied
> > Jun 25 15:20:25 hufpuf named[3574]: client 59.151.50.248#10848: query
> > (cache) './A/IN' denied
> > Jun 25 15:20:28 hufpuf named[3574]: client 59.151.50.247#9753: query
> > (cache) './A/IN' denied
> >
> >
> > I can understand 1 / day or maybe / hour, but I have a couple of pages
> > full in side an hour.
> >
> > can somebody shed some light on what they think they can gain ?
> >
> >
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.6 (GNU/Linux)
> >
> > iD8DBQFIYgG9kZz88chpJ2MRAklTAJ9EglbfqgbT4zr9KBH2FUD9e6Ld3wCg7QVP
> > Mh+7tVHJ4dLSPTS4LxvTs0c=
> > =Pe1p
> > -----END PGP SIGNATURE-----
> >
> > --
> > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
> >
> -- 
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
> 

-- 
"See, the irony is that what they need to do is get Syria to get Hezbollah to stop doing this shit, and it's over."

	- George W. Bush
06/16/2006
St. Petersburg, Russia
to Tony Blair at the G8 summit

Attachment: signature.asc
Description: Digital signature