Hi,
I am able to query one of the PTR record available in my company BIND caching
DNS server from internet(ANY IP address) successfully. As per your statement,
If I am denying the response, how could I get response successfully?
Regards
Babu
________________________________
From: Mark Andrews <ma...@isc.org>
To: babu dheen <babudh...@yahoo.co.in>
Cc: "bind-users@lists.isc.org" <bind-us...@isc.org>
Sent: Monday, 25 March 2013 12:33 AM
Subject: Re: Suspecious DNS traffic
In message <1364140396.42023.yahoomail...@web190806.mail.sg3.yahoo.com>, babu d
heen writes:
>
> Dear,
>
> We have Caching DNS server and certain PTR record(reverse entry
> verification purpose) only is allowed from internet. But I am observing
> suspicious DNS traffic from my BIND caching DNS server towards
> 67.215.80.15,67.215.80.13,207.192.69.4,67.227.239.85 IP address on
> destination port 1033,1090,1743, etc. Since we haven't allowed non
> standard port from our DNS server to public DNS server, its dropped in
> firewall.
>
> Any idea as to why our company DNS server is contacting external IP on
> non standard port?
It's contacting it on port 53. You are allowing the query out but
denying the response.
> Below is the logs taken from DNS server on one of the destination IP
> address.
> ##########################################################################
> ##
>
>
> client 67.215.80.15#58230: view localhost_resolver: query (cache)
> '109.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.215.80.15#18395: view localhost_resolver: query (cache)
> '86.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.215.80.15#34068: view localhost_resolver: query (cache)
> '114.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#20915: view localhost_resolver: query (cache)
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#64724: view localhost_resolver: query (cache)
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#16374: view localhost_resolver: query (cache)
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#30391: view localhost_resolver: query (cache)
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#17745: view localhost_resolver: query (cache)
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#36163: view localhost_resolver: query (cache)
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#6391: view localhost_resolver: query (cache)
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#37586: view localhost_resolver: query (cache)
> '150.232.12.217.in-addr.arpa/PTR/IN' denied
> client 67.227.239.85#55208: view localhost_resolver: query (cache)
> '232.12.217.in-addr.arpa/NS/IN' denied
> client 67.227.239.85#40076: view localhost_resolver: query (cache)
> '232.12.217.in-addr.arpa/NS/IN' denied
>
> Below is the firewall logs:
> #########################
> action=Deny sent=0 rcvd=112 src=our_company_DNS_server_ip
> dst=67.215.80.15 src_port=53 dst_port=16529
> action=Permit sent=0 rcvd=0 src=67.215.80.15
> dst=our_company_DNS_server_ip src_port=52370 dst_port=53
>
>
> Regards
> Babu
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
