On Wed, Jun 25, 2008 at 10:23:36AM -0500, Tony Sceats wrote: > without knowing what your bind server is doing and what the anem they are > looking for it's hard to say..
Sorry my presumption that this was a norm of some sort. I have a dns server that host a public/internet facing domain. only lan clients can make recursive requests. > > eg, is it set up to allow normal DNS queries to only a certain range of > client IPs? or is it a private DNS server that's authoritative for an > internal domain that you don't want people external to query? > > This could be as simple as someone's laptop set to use your DNS server and > they go home and are suddenly coming from an external IP but still using > your DNS server, so any normal DNS queries are being sent to you first (eg, > www.google.com) nope = well not set by me atleast > > The log itself looks like it's just after an ordinary A record.. > > If your sure it's an attack it could be someone trying to find names in your > zone by trying a whole bunch of names a'la brute force, but that's pretty but they are not requesting anything in my domain ? > unlikely imho.. by doing that they might be interested in finding internal > IP ranges so they can play NAT tricks for firewall rule enumeration or > perhaps finding the IP of certain functional servers, eg names that indicate > what kind of network service an IP may be providing - eg, samba.example.comor > printserver.example.com - something that gives them a new attack vector.. > You could also be participating in a DDoS - because DNS is UDP, forged > source IPs can be used to start sending DNS replies from a whole bunch of > DNS servers to a target IP, thus using all the targets bandwidth Just in case I drop their address at the firewall now :) (only 2 - somewhere in china) > > On Wed, Jun 25, 2008 at 3:28 AM, Alex Samad <[EMAIL PROTECTED]> wrote: > > > Hi > > > > I have been seeing these in my logs > > > > Jun 25 15:19:45 hufpuf named[3574]: client 59.151.50.248#64821: query > > (cache) './A/IN' denied > > Jun 25 15:19:48 hufpuf named[3574]: client 59.151.50.247#63595: query > > (cache) './A/IN' denied > > Jun 25 15:20:25 hufpuf named[3574]: client 59.151.50.248#10848: query > > (cache) './A/IN' denied > > Jun 25 15:20:28 hufpuf named[3574]: client 59.151.50.247#9753: query > > (cache) './A/IN' denied > > > > > > I can understand 1 / day or maybe / hour, but I have a couple of pages > > full in side an hour. > > > > can somebody shed some light on what they think they can gain ? > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.6 (GNU/Linux) > > > > iD8DBQFIYgG9kZz88chpJ2MRAklTAJ9EglbfqgbT4zr9KBH2FUD9e6Ld3wCg7QVP > > Mh+7tVHJ4dLSPTS4LxvTs0c= > > =Pe1p > > -----END PGP SIGNATURE----- > > > > -- > > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > > > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- "See, the irony is that what they need to do is get Syria to get Hezbollah to stop doing this shit, and it's over." - George W. Bush 06/16/2006 St. Petersburg, Russia to Tony Blair at the G8 summit
signature.asc
Description: Digital signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html