without knowing what your bind server is doing and what the anem they are looking for it's hard to say..
eg, is it set up to allow normal DNS queries to only a certain range of client IPs? or is it a private DNS server that's authoritative for an internal domain that you don't want people external to query? This could be as simple as someone's laptop set to use your DNS server and they go home and are suddenly coming from an external IP but still using your DNS server, so any normal DNS queries are being sent to you first (eg, www.google.com) The log itself looks like it's just after an ordinary A record.. If your sure it's an attack it could be someone trying to find names in your zone by trying a whole bunch of names a'la brute force, but that's pretty unlikely imho.. by doing that they might be interested in finding internal IP ranges so they can play NAT tricks for firewall rule enumeration or perhaps finding the IP of certain functional servers, eg names that indicate what kind of network service an IP may be providing - eg, samba.example.comor printserver.example.com - something that gives them a new attack vector.. You could also be participating in a DDoS - because DNS is UDP, forged source IPs can be used to start sending DNS replies from a whole bunch of DNS servers to a target IP, thus using all the targets bandwidth On Wed, Jun 25, 2008 at 3:28 AM, Alex Samad <[EMAIL PROTECTED]> wrote: > Hi > > I have been seeing these in my logs > > Jun 25 15:19:45 hufpuf named[3574]: client 59.151.50.248#64821: query > (cache) './A/IN' denied > Jun 25 15:19:48 hufpuf named[3574]: client 59.151.50.247#63595: query > (cache) './A/IN' denied > Jun 25 15:20:25 hufpuf named[3574]: client 59.151.50.248#10848: query > (cache) './A/IN' denied > Jun 25 15:20:28 hufpuf named[3574]: client 59.151.50.247#9753: query > (cache) './A/IN' denied > > > I can understand 1 / day or maybe / hour, but I have a couple of pages > full in side an hour. > > can somebody shed some light on what they think they can gain ? > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFIYgG9kZz88chpJ2MRAklTAJ9EglbfqgbT4zr9KBH2FUD9e6Ld3wCg7QVP > Mh+7tVHJ4dLSPTS4LxvTs0c= > =Pe1p > -----END PGP SIGNATURE----- > > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
