I was on vacation last week but saw the thread then about these failed queries.
Someone had apparently posted on a Fedora forum that seeing the high level of query cache denied was a sign of people trying the exploit but someone else here said it wasn't a symptom of the exploit. However, on returning to my office I too saw a dramatic increase in the number of these. If they aren't for the exploit does someone know why they increased? P.S. I'm already patched for the exploit. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Emery Rudolph Sent: Wednesday, July 30, 2008 12:59 PM To: Dawn Connelly Cc: [email protected] Subject: Re: DNS Exploit Attempts?? Thanks Dawn, I must have misunderstood the blackhole directive. I thought it was strictly for blocking nameserver - nameserver queries as opposed to a client that points directly at you by making you their primary nameservice. If this problem flares up again, I will definitely try the option. :-) On Wed, Jul 30, 2008 at 12:20 PM, Dawn Connelly <[EMAIL PROTECTED]>wrote: > Hehehe, that address is coming from Russia so you can pretty much assume > it's badness. > > If you don't want to wait for your firewall team for future events like > this, you can always blacklist them too. > > blackhole { address_match_list }; > > > On Wed, Jul 30, 2008 at 8:55 AM, Terpasaur <[EMAIL PROTECTED]>wrote: > >> Good morning. >> >> I upgraded our last resolver this morning to the new P1 code and >> turned on "rndc querylog". I am seeing a steady stream of these >> messages with the same IP at a rate of about 100/min. >> >> Jul 30 11:50:39 ns2 named[2780]: [ID 873579 daemon.info] security: >> info: client 194.85.88.199#22941: query (cache) './ANY/IN' denied >> >> Is this an example of the cache exploit attempt? >> >> I've already spoken with our INET team about blocking the IP at the >> firewall a couple of days to see if the automated mechanism stops >> because of denied access, or if it continues regardless. >> >> Thanks, >> >> Emery Rudolph >> Sr. Systems Analyst >> Office of Information Technology >> University of Maryland University College >> Email: [EMAIL PROTECTED] >> >> >> >> > ---------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ----------------------------------
