Dear Sir,
For checking the source port randomness of your DNS please refer to below website tool. https://www.dns-oarc.net/oarc/services/dnsentropy Regards Manager(Internet-Systems) MTNL Delhi -----Original Message----- From: bind-users [mailto:[email protected]] On Behalf Of [email protected] Sent: Wednesday, July 27, 2016 7:28 PM To: [email protected] Subject: bind-users Digest, Vol 2448, Issue 2 Send bind-users mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://lists.isc.org/mailman/listinfo/bind-users or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of bind-users digest..." Today's Topics: 1. RE: outgoing-traffic (Abdul Khader) 2. RE: outgoing-traffic (Abdul Khader) 3. Re: outgoing-traffic (S Carr) 4. RE: outgoing-traffic (Ejaz) 5. RE: outgoing-traffic (Tony Finch) 6. RE: outgoing-traffic (Ejaz) 7. Re: outgoing-traffic (S Carr) ---------------------------------------------------------------------- Message: 1 Date: Wed, 27 Jul 2016 16:04:20 +0400 From: Abdul Khader <[email protected]> To: Ejaz <[email protected]>, 'S Carr' <[email protected]> Cc: [email protected] Subject: RE: outgoing-traffic Message-ID: <[email protected]> Content-Type: text/plain; charset=utf-8 You can use tcpdump on your DNS server to take the trace. Command would be like below. tcpdump -i any port 53 -w trace.pcap You can share trace.pcap with us. Regards Abdul Khader Ejaz <[email protected]> wrote: > >Thanks you. > >The traffic will go to router which is handled by the Network dept. The fear that may router can crash if we start enabling the packet capture since it is layer 7. > >Is advisable, if we deny outbound UDP port 0 from the DNS servers, after enabling firewall. > > >Ejaz > >-----Original Message----- >From: S Carr [mailto:[email protected]] >Sent: Wednesday, July 27, 2016 10:51 AM >To: Ejaz <[email protected]> >Cc: bind-users <[email protected]> >Subject: Re: outgoing-traffic > >On 27 July 2016 at 08:41, Ejaz <[email protected]> wrote: >> Thanks for all. >> >> But the strange thing is that if the request comes on 53 port then it >> should go only from 53 is it?? Why goes out from 0, any clue would be >> highly appreciate. >> >> Regards >> Ejaz > >Where's the packet capture to review? > >_______________________________________________ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list > >bind-users mailing list >[email protected] >https://lists.isc.org/mailman/listinfo/bind-users ------------------------------ Message: 2 Date: Wed, 27 Jul 2016 16:51:02 +0400 From: Abdul Khader <[email protected]> To: Ejaz <[email protected]>, 'S Carr' <[email protected]> Cc: [email protected] Subject: RE: outgoing-traffic Message-ID: <[email protected]> Content-Type: text/plain; charset=utf-8 Did not find any attachment. Ejaz <[email protected]> wrote: >Thank you so much Abdul for you instant support. > >As requested, Find the attached. > > >Ejaz >-----Original Message----- >From: [email protected] [mailto:[email protected]] >Sent: Wednesday, July 27, 2016 3:04 PM >To: Ejaz <[email protected]>; 'S Carr' <[email protected]> >Cc: [email protected] >Subject: RE: outgoing-traffic > >You can use tcpdump on your DNS server to take the trace. > >Command would be like below. > >tcpdump -i any port 53 -w trace.pcap > >You can share trace.pcap with us. > >Regards >Abdul Khader > >Ejaz <[email protected]> wrote: > >> >>Thanks you. >> >>The traffic will go to router which is handled by the Network dept. The fear that may router can crash if we start enabling the packet capture since it is layer 7. >> >>Is advisable, if we deny outbound UDP port 0 from the DNS servers, after enabling firewall. >> >> >>Ejaz >> >>-----Original Message----- >>From: S Carr [mailto:[email protected]] >>Sent: Wednesday, July 27, 2016 10:51 AM >>To: Ejaz <[email protected]> >>Cc: bind-users <[email protected]> >>Subject: Re: outgoing-traffic >> >>On 27 July 2016 at 08:41, Ejaz <[email protected]> wrote: >>> Thanks for all. >>> >>> But the strange thing is that if the request comes on 53 port then it >>> should go only from 53 is it?? Why goes out from 0, any clue would be >>> highly appreciate. >>> >>> Regards >>> Ejaz >> >>Where's the packet capture to review? >> ------------------------------ Message: 3 Date: Wed, 27 Jul 2016 14:19:10 +0100 From: S Carr <[email protected]> To: Ejaz <[email protected]> Cc: bind-users <[email protected]> Subject: Re: outgoing-traffic Message-ID: <calmep05kznfmwhu+sxlqzw_i1tw3v3tnshnau1my38ttoxg...@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 On 27 July 2016 at 13:33, Ejaz <[email protected]> wrote: > Thank you so much Abdul for you instant support. > > As requested, Find the attached. So the 3 IPs (212.118.122.99-101) are continuously sending ANY requests for cpsc.gov No responses I can see are going from port 0, they are coming in on 53 and BIND is responding on a random high port The subnet 212.118.122.0/24 appears to be mapped to your company's DNS for reverse lookups and .99 shows that it is supposedly the system mail.electro.com.sa (though the forward lookup does not map to the same as the reverse). It also looks like you are providing a recursive DNS service for these IP addresses, in frame 118047 you respond to the client with an NXDOMAIN response as the query they asked has a random "\r" on it. Are you meant to be providing recursive DNS for these clients? The random "\r" looks to me like something has been scripted (albeit poorly) to run against your systems. As this is probably one of your customers have you tried contacting them to find out why their systems are sending all of these requests? It could be simple misconfiguration or they could have been affected by some malware that's generating DNS noise/attacks. You could look at putting iptables on your Linux box to provide another layer of filtering and block the requests locally, or ask your network team to block those IPs, then wait for the customer to shout. ------------------------------ Message: 4 Date: Wed, 27 Jul 2016 16:44:52 +0300 From: "Ejaz" <[email protected]> To: "'S Carr'" <[email protected]> Cc: "'bind-users'" <[email protected]> Subject: RE: outgoing-traffic Message-ID: <[email protected]> Content-Type: text/plain; charset="utf-8" Really I appreciate sparing such long time to trace out the problem and sending such detail email. Is there any other security measure from the DNS level to control such attacks. Instead of blocking IP which is either from my linux machine or from my network side. Such as, if someone is sending ANY request , by default it should be denied when users requests for it.. Ejaz -----Original Message----- From: S Carr [mailto:[email protected]] Sent: Wednesday, July 27, 2016 4:19 PM To: Ejaz <[email protected]> Cc: bind-users <[email protected]> Subject: Re: outgoing-traffic On 27 July 2016 at 13:33, Ejaz <[email protected]> wrote: > Thank you so much Abdul for you instant support. > > As requested, Find the attached. So the 3 IPs (212.118.122.99-101) are continuously sending ANY requests for cpsc.gov No responses I can see are going from port 0, they are coming in on 53 and BIND is responding on a random high port The subnet 212.118.122.0/24 appears to be mapped to your company's DNS for reverse lookups and .99 shows that it is supposedly the system mail.electro.com.sa (though the forward lookup does not map to the same as the reverse). It also looks like you are providing a recursive DNS service for these IP addresses, in frame 118047 you respond to the client with an NXDOMAIN response as the query they asked has a random "\r" on it. Are you meant to be providing recursive DNS for these clients? The random "\r" looks to me like something has been scripted (albeit poorly) to run against your systems. As this is probably one of your customers have you tried contacting them to find out why their systems are sending all of these requests? It could be simple misconfiguration or they could have been affected by some malware that's generating DNS noise/attacks. You could look at putting iptables on your Linux box to provide another layer of filtering and block the requests locally, or ask your network team to block those IPs, then wait for the customer to shout. ------------------------------ Message: 5 Date: Wed, 27 Jul 2016 14:49:09 +0100 From: Tony Finch <[email protected]> To: Ejaz <[email protected]> Cc: 'S Carr' <[email protected]>, 'bind-users' <[email protected]> Subject: RE: outgoing-traffic Message-ID: <[email protected]> Content-Type: TEXT/PLAIN; charset=US-ASCII Ejaz <[email protected]> wrote: > > Such as, if someone is sending ANY request , by default it should be > denied when users requests for it.. BIND 9.11 will have a minimal-any option. https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any https://lists.isc.org/pipermail/bind-users/2016-July/097226.html Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ - I xn--zr8h punycode Southeast Thames, Dover, Wight, Portland, Plymouth, North Biscay: Westerly or southwesterly 5 or 6. Moderate. Occasional drizzle. Moderate or poor, occasionally good. ------------------------------ Message: 6 Date: Wed, 27 Jul 2016 16:55:41 +0300 From: "Ejaz" <[email protected]> To: "'Tony Finch'" <[email protected]> Cc: "'S Carr'" <[email protected]>, "'bind-users'" <[email protected]> Subject: RE: outgoing-traffic Message-ID: <[email protected]> Content-Type: text/plain; charset="us-ascii" Hello, You mean I need to downgrade my bind to 9.11, as my current version is "BIND 9.9.2-P1" Ejaz -----Original Message----- From: Tony Finch [mailto:[email protected]] Sent: Wednesday, July 27, 2016 4:49 PM To: Ejaz <[email protected]> Cc: 'S Carr' <[email protected]>; 'bind-users' <[email protected]> Subject: RE: outgoing-traffic Ejaz < <mailto:[email protected]> [email protected]> wrote: > > Such as, if someone is sending ANY request , by default it should be > denied when users requests for it.. BIND 9.11 will have a minimal-any option. <https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any> https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any <https://lists.isc.org/pipermail/bind-users/2016-July/097226.html> https://lists.isc.org/pipermail/bind-users/2016-July/097226.html Tony. -- f.anthony.n.finch < <mailto:[email protected]> [email protected]> <http://dotat.at/> http://dotat.at/ - I xn--zr8h punycode Southeast Thames, Dover, Wight, Portland, Plymouth, North Biscay: Westerly or southwesterly 5 or 6. Moderate. Occasional drizzle. Moderate or poor, occasionally good. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160727/9864309f/at tachment-0001.html> ------------------------------ Message: 7 Date: Wed, 27 Jul 2016 14:57:34 +0100 From: S Carr <[email protected]> To: Ejaz <[email protected]> Cc: bind-users <[email protected]> Subject: Re: outgoing-traffic Message-ID: <calmep04fbzzugz-fsy+ubgt+mosvzf0gzy_m8iu4fwwf_4t...@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 On 27 July 2016 at 14:44, Ejaz <[email protected]> wrote: > Such as, if someone is sending ANY request , by default it should be denied when users requests for it.. Denying the request isn't going to solve anything in this case, they are still going to repeatedly ask for it and the traffic has already hit your system before ANY queries would be denied. ------------------------------ Subject: Digest Footer _______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users ------------------------------ End of bind-users Digest, Vol 2448, Issue 2 ******************************************* _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
